BIPI
BIPI

OAuth Flaws in Bug Bounty: redirect_uri, state, scope, PKCE Misuse

Cybersecurity

OAuth flows are everywhere and almost every implementation has at least one rough edge. This guide covers the redirect_uri validators, missing state, scope upgrade, and PKCE misuse patterns that lead to account takeover across real bounty programs.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 14, 2023 · 10 min read

#oauth#bug-bounty#authentication#pkce#sso

Why OAuth Bugs Pay

OAuth is a multi-party protocol with a long parameter list and many client implementations. Small flaws compound to ATO, and triagers know to take them seriously.

redirect_uri Tricks

  • Path traversal that bypasses prefix matchers
  • Open redirect chained into the OAuth callback to leak the code
  • Wildcarded subdomain in registered URIs
  • Fragment manipulation when validation only checks path

If the provider allows https://app.target.com/* as a redirect, find any open redirect under that origin and you can exfiltrate the authorization code.

Missing state Parameter

Without state, the callback has no CSRF protection. Attacker initiates an OAuth flow, captures the code, then forces the victim to consume it, landing the attacker's account in the victim's browser. Pair with stored XSS for pivot.

Scope Upgrade Bugs

Some apps store scopes from the first authorization and accept new ones silently on subsequent calls. Try requesting admin scopes after a low-privilege grant. Some providers also let you trade access_token for one with broader scope.

PKCE Misuse

PKCE protects mobile and SPA flows from code interception. Common bugs include the server accepting a code with no verifier, accepting any verifier, or only checking length. Test by sending an empty code_verifier on token exchange.

Implicit Flow Survivors

Some clients still use the implicit flow. Tokens in the URL fragment leak through referer headers, browser history, and JS analytics. Look for OAuth endpoints with response_type=token.

Account Linking and Pre-ATO

If the app links social accounts by email without verification, register a provider account with the victim's email, link through OAuth, and inherit their app account. This is a frequent pre-account takeover root cause.

Logout and Session Cleanup

Many apps log out the local session but leave the provider session and refresh token alive. A shared device can reauthenticate with one click. Worth a low severity report on its own and a chain helper otherwise.

Provider-Specific Quirks

  • Google: drive scope upgrade and consent caching
  • Facebook: deprecated permissions reappearing in token introspection
  • GitHub: org-level scopes leaking through unscoped tokens
  • Microsoft: tenant id confusion in multi-tenant apps

Tooling

  • Burp with the OAuth extension for parameter manipulation
  • OAuthLib and Authlib for crafting weird requests
  • Custom HTML pages to test redirect_uri parsing
  • Postman collections for token introspection

Reporting Heuristics

Show the full kill chain. Attacker initiates, victim clicks, attacker captures code, attacker exchanges, attacker reads victim data. Two browsers and a clean storyboard.

OAuth has no single weak point. Hunters win by reading the spec and testing each step independently.

Closing

OAuth is a parameter game. The hunters who memorize the parameter names and the validator quirks find bugs in apps that everyone else thought were clean.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.