Many of the most high-profile OAuth vulnerabilities in companies like GitHub and Facebook stemmed from a single failure: loose validation of the `redirect_uri`. By manipulating where the authorization code is sent, attackers can hijack user accounts with a single click.
Some Authorization Servers use 'Partial Match' or 'Wildcard' validation for redirect URIs. For example, they might allow any URI that starts with `https://client.example.com`.
If an attacker finds an 'Open Redirect' on any subdomain of `client.example.com`, they can bypass the whitelist entirely.
In this scenario, the Auth Server sees that the URI starts with the approved domain and allows the request. The user is sent to the legitimate site, but the `/logout` page then redirects them (along with the sensitive `code`) to the attacker's server.
Once the attacker has the authorization code, they only need the `client_id` and `client_secret` (if it's a public client, they may not even need the secret) to exchange that code for a full access token.
# Attacker exchanging the stolen code for a token
curl -X POST https://auth.com/token \
-d "grant_type=authorization_code" \
-d "code=STOLEN_CODE_HERE" \
-d "client_id=CLIENT_ID"| Validation Type | Example | Risk | Verdict |
|---|---|---|---|
| None | Any URI | Critical | Broken |
| Wildcard | *.example.com | High | Vulnerable |
| Prefix Match | https://app.com/* | Medium | Vulnerable |
| Exact Match | https://app.com/callback | Low | Secure |
The industry has moved toward 'Exact Match' whitelisting. The Authorization Server should only allow redirects to URIs that are explicitly registered by the developer, character for character.
Even with exact match, if a developer registers a URI that points to an open redirector, the security is negated.
Verify exercises to earn โ 240 XP and unlock next lab level.