============================================================

1 Token Stealing ⇒

Find domain used in 'redirect_uri'

  1. Can we use 'subdomains' in the 'redirect_uri'
  2. Point the 'redirect_uri' to a page →
  1. Use the stolen 'access_token' to login

2 Code Stealing ⇒

Main Aim ⇒ Steal 'authorization_code' of the Application Use it to login into user's account to user's account

response_type = code 'redirect_uri' while exchanging the 'authorization_code' with 'access_token' must MATCH when we got 'authorization_code'

  1. Find domain used in 'redirect_uri'
  2. Can we use 'subdomains' in the redirect_uri
  3. Check if 'authorization_code' derived from manipulated 'redirect_uri' works when fetching 'access_token'
  4. Point the 'redirect_uri' to a page
  1. Use the stolen 'authorization_code' to login

3. CSRF ( Missing 'state' Param) ⇒

Aim is ⇒ Connect attacker's account to User's Account and Login via Attacker's account into user's account

state ⇒ some anti-csrf token

  1. Check if 'state' param in OAuth Authorization Link is validated or not ?
  2. Derive yourself a valid 'authorization_code' link and don't use it
  3. Send this active 'authorization_code' link to victim's account
  4. Your account will get connected with victim's account
  5. Now login via your own account.

4. Token Impersonation ⇒

Aim ⇒ ⇒ Use victim's valid 'access_token' from any 3rd party app ⇒ Pass 'access_token' of the victim from different app and get unauthorized access to the account

  1. Check if login endpoint accepts 'access_token' directly
  2. Derive an 'access_token' from a different app
  3. Pass it on to the login endpoint.