Annual Computer Security Applications Conference (ACSAC) 2023

OAuth 2.0 Redirect URI Validation Falls Short

OAuth 2.0 requires a complex redirection trail between websites and Identity Providers (IdPs). In particular, the ""redirect URI"" pa- rameter included in the popular Authorization Grant Code flow governs the callback endpoint that users are routed to, together with their security tokens. The protocol specification, therefore, includes guidelines on protecting the integrity of the redirect URI. In this work, we analyze the OAuth 2.0 specification in light of modern systems-centric attacks and reveal that the prescribed redirect URI validation guidance exposes IdPs to path confusion and parameter pollution attacks. Based on this observation, we propose novel attack techniques and experiment with 16 popular IdPs, empirically verifying that the OAuth 2.0 security guidance is under-specified. We finally present end-to-end attack scenarios that combine our attack techniques with common web application vulnerabilities, ultimately resulting in a complete compromise of the secure delegated access that OAuth 2.0 promises.

Tommaso Innocenti
Northeastern University

Matteo Golinelli
University of Trento

Kaan Onarlioglu
Akamai Technologies

Ali Mirheidari
Independent Researcher

Bruno Crispo
University of Trento

Engin Kirda
Northeastern University

Paper (ACM DL)