Skip to main content

Posts

Showing posts from June, 2015

On (OAuth) token hijacks for fun and profit part #1 (Google/Microsoft integration)

Here we go again.... I have already blogged about (OAuth) token hijacks [1] [2] , but hey, things happens and re-happens :) In the past I had mainly focused my attention on Authorization Servers weakness. As the cited Facebook's vulnerable regex pattern matching for redirect_uri. It turns out that also OAuth client can screw things up and leak token (or authorization codes). So here is the tl;dr: If you are building an OAuth client,   Thou shall register a redirect_uri as much as specific as you can i.e. if your OAuth client callback is https://yourouauthclient.com/oauth/oauthprovider/callback then DO register https://yourouauthclient.com/oauth/oauthprovider/callback   NOT JUST h ttps://yourouauthclient.com/ or https://yourouauthclient.com/oauth The main reason behind this is that sometimes Authorization Server (AS) use exotic and unexpected redirect_uri validation policies. As mentioned in some previous post the ONLY safe validation method the Authorization