Home
Services
Features
Blog
Labs
Partners
About

Get started

Services
Partners
Features
Pricing
Blog
Labs
About
Contact
Support
- Contact
- Help center

OAuth 2.0 Threat Model Pentesting Checklist

The following is a checklist we are using usefull during an OAuth 2.0 Penetration Testing engagement.

May 25, 2021

Oauth2
Pentest Checklist

Oauth 2.0 Pentest Checklist

WORD AHEAD

This is a simplified visual alternative to IETF OAuth 2.0 Security Best Current Practice publication combined with various other public resources we found usefull.

Overall, we are using this checklis as part of our engagements when testing for Oauth2 implementations.

CHECKLIST

Threat: Insufficient Redirect URI Validation

Read more
Insufficient Redirect URI Validation

Threat: Credential Leakage via Referer Headers

Read more
Credential Leakage via Referer Headers

Threat: Credential Leakage via Browser History

Read more
Credential Leakage via Browser History

Threat: Mix-Up Attacks

Read more
Mix-Up Attacks

Threat: Authorization Code Injection

Read more
Authorization Code Injection

Threat: Access Token Injection

Read more
Authorization Code Injection

Cross Site Request Forgery

Read more
Cross Site Request Forgery

Access Token Leakage at the Resource Server

Read more
Access Token Leakage at the Resource Server

Threat: Access Token Leakage at the Resource Server

Read more
Access Token Leakage at the Resource Server

Threat: 307 Redirect

Read more
307 Redirect

Threat: TLS Terminating Reverse Proxies

Read more
TLS Terminating Reverse Proxies

Threat: Client Impersonating Resource Owner

Read more
Client Impersonating Resource Owner

Threat: Clickjacking

Read more
Clickjacking

Other Security Considerations

Confidentiality of Requests

Server authentication

Always keep the resource owner informed

Credentials

Credential storage protection

Standard SQLi Countermeasures

No cleartext storage of credentials

Encryption of credentials

Use of asymmetric cryptography

Online attacks on secrets

Password policy

High entropy of secrets

Lock accounts

Tar pit

Usage of CAPTCHAs

Tokens (access, refresh, code)

Limit token scope

Expiration time

Short expiration time

Limit number of usages/ One time usage

Bind tokens to a particular resource server (Audience)

Use endpoint address as token audience

Audience and Token scopes

Bind token to client id

Signed tokens

Encryption of token content

Random token value with high entropy

Access tokens

Authorization Server

Authorization Codes

Automatic revocation of derived tokens if abuse is detected

Refresh tokens

Restricted issuance of refresh tokens

Binding of refresh token to client_id

Refresh Token Replacement

Refresh Token Revocation

Combine refresh token requests with user-provided secret

Device identification

Client authentication and authorization

Client_id only in combination with forced user consent

Client_id only in combination with redirect_uri

Validation of pre-registered redirect_uri

Client secret revocation

Use strong client authentication (e.g. client_assertion / client_token)

End-user authorization

Automatic processing of repeated authorizations requires client validation

Validation of client properties by end-user

Binding of authorization code to client_id

Binding of authorization code to redirect_uri

Client App Security

Do not store credentials in code or resources bundled with software packages

Standard web server protection measures (for config files and databases)

Store secrets in a secure storage

Utilize device lock to prevent unauthorized device access

Platform security measures

Resource Servers

Check Authorization headers

Check Authenticated requests

Check Signed requests

OAUTH2.0 PENTEST CHECK LIST MINDMAP - INSANE QUALITY IMAGE

[*] Download picture

OAUTH2.0 PENTEST CHECK LIST MINDMAP - CHERRY TREE IMPORTABLE VERSION

[*] Download file

ACKNOWLEDGEMENTS | REFERENCES | RESOURCES

- https://tools.ietf.org/id/draft-lodderstedt-oauth-security-01.html

- https://tools.ietf.org/id/draft-ietf-oauth-security-topics-15.html

- https://www.google.com/search?q=oauth2+site%3Ahackerone.com&newwindow=1

- https://pentesterlab.com/exercises/

- https://developer.okta.com/blog/2019/03/12/oauth2-spring-security-guide

- https://www.giuspen.com/cherrytree/

Stay in the loop

Join our newsletter to get top security news before anyone else.

Services

Offensive Pentesting
Cloud Gap Analysis
Mobile Security
Source Code Security Review
Ongoing Assets Monitoring
Cloud Migration

Company

About
Contact
Labs
Blog
Partners

Help Center

FAQ's
Terms and Conditions
Privacy Policy
Disclaimer
Location
Security

© 2019 - 2021 Security Hubs Inc. All rights reserved.