Notes:

OAuth a, authorization framework. allows users to log in to app/sites without sharing their credentials. Key areas to scrutinize include:

• Redirection Flaws: Improperly validated redirection URLs can lead unwary users to malicious sites, potentially leaking authorization tokens.
• Token Hijacking: Access tokens, if not securely handled, can be intercepted or stolen, granting attackers unauthorized access to user data.
• Insecure Storage: Tokens stored without adequate security can be easily accessed by attackers, especially if persistent storage mechanisms are compromised.
• Scope Overreach: By manipulating the scope of access requests, attackers could gain more permissions than intended, escalating their access rights within the application.

• Authentication bypass via OAuth implicit flow
• Forced OAuth profile linking
• OAuth Account Hijacking via Redirect_uri Misconfiguration

In OAuth, the *redirect_uri* parameter is used to send the user back to the client application after authentication. Some authorization servers check if the *redirect_uri* matches the one received in the initial request to prevent attacks. However, there might be ways to bypass this validation.

When testing OAuth, experiment with the *redirect_uri* parameter:

• Add/remove paths, query parameters, or fragments.
• Append extra values to the default *redirect_uri*.
• Try server-side parameter pollution by submitting duplicate *redirect_uri* parameters.
• Test localhost URIs as they might be accidentally permitted.

If you can't submit an external domain as *redirect_uri*, try changing it to point to other pages within the whitelisted domain. Look for vulnerabilities like open redirects to leak the code or token and forward users to an attacker-controlled domain.

For the authorization code flow, you need to find a vulnerability that gives you access to the query parameters, whereas for the implicit grant type, you need to extract the URL fragment.