OAuth Misconfiguration

Vulnerability Details

The application's OAuth implementation contains security flaws such as insecure redirect URI validation, missing state parameter, or improper token handling.

An attacker could steal authorization codes or access tokens through redirect URI manipulation, perform CSRF attacks on the OAuth flow, or gain unauthorized access to user accounts.

Implement strict redirect URI validation using exact matching. Always use and verify the state parameter. Use PKCE for public clients. Validate tokens on the server side. Implement short-lived access tokens with refresh token rotation.

• https://portswigger.net/web-security/oauth