OAuth Storage

• The encryption key that is used to encrypt OAuth tokens, before they are stored in the database, must be stored and backed by a physical HSM module.
• Some recommendations arE: AWS KMS/Secrets Manager or GCP Cloud HSM.
• Also, physical HSM (Yubikey has an HSM thats cost effective) also works

Protect Redirect-Based Flow

• clients should avoid forwarding the user's browser to a page obtained from a URL parameter
• clients must prevent CSRF
• Each authorization response should be accepted only once
• state parameter should be random and unique (acts like a csrf token)
• client should have least privileges possible within an user's account
• connection should be over https and end to end TLS
• 307 redirect
• Session fixation: A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
• watch out for ssrf (https://hackerone.com/reports/398799)

Reports

• https://hackerone.com/reports/405100
• https://bit.ly/2rcz2wj
• https://medium.com/@Jacksonkv22/oauth-misconfiguration-lead-to-complete-account-takeover-c8e4e89a96a
• https://ngailong.wordpress.com/2017/08/07/uber-login-csrf-open-redirect-account-takeover/
• https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/

References

• https://tools.ietf.org/id/draft-ietf-oauth-security-topics-05.html
• https://tools.ietf.org/html/rfc6819
• https://www.owasp.org/images/d/d4/OWASP-NL_Chapter_Meeting201501015_OAuth_Jim_Manico.pdf
• https://ldapwiki.com/wiki/OAuth%202.0%20Vulnerabilities
• https://medium.com/@bantic/more-oauth-2-0-surprises-the-refresh-token-1831d71f4af6
• https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
• https://www.oauth.com/oauth2-servers/access-tokens/

• topics: oauth tokens security, csrf, redirection, mix up, interception attacks