The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
In the SSO feature. For example Log in with google or Log in with facebook.
- OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
- Change Referral header to attacker.com while requesting OAuth.
- Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
- OAuth Token Re-use.
- Missing or broken state parameter.
- Lack of origin check.
- Open Redirection on another endpoint > Use it in redirect_uri
- If there is an email parameter after signin then try to change the email parameter to victim's one.
- Try to remove email from the scope and add victim's email manually.
- Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com
- Check if its leaking client_secret parameter.
- Go to the browser history and check if the token is there.