Features
- History of Pentesting
Capabilities
Blog
Resources
Company
Contact
Login

History of Pentesting
Capabilities
Blog
Resources
About Us
Partners
Help center
Contact
Login

Oauth2.0 Pentest Checklist

Here's a list of things to keep in mind when checking out part of an OAuth 2.0 Penetration Testing engagement.

Syn Cubes Team - May 25, 2021

Word Ahead

This is a visual alternative to the IETF OAuth 2.0 Security Best Current Practice publication, combined with knowledge from various other public resources we found useful.

We are using this checklist as part of our testing routine for Oauth2 implementations.

Checklist

Threat: Insufficient Redirect URI Validation

Read more

Insufficient Redirect URI Validation

Threat: Credential Leakage via Referer Headers

Read more

Credential Leakage via Referer Headers

Threat: Credential Leakage via Browser History

Read more

Credential Leakage via Browser History

Threat: Mix-Up Attacks

Read more

Mix-Up Attacks

Threat: Authorization Code Injection

Read more

Authorization Code Injection

Threat: Access Token Injection

Read more

Authorization Code Injection

Cross Site Request Forgery

Read more

Cross Site Request Forgery

Access Token Leakage at the Resource Server

Read more

Access Token Leakage at the Resource Server

Threat: Access Token Leakage at the Resource Server

Read more

Access Token Leakage at the Resource Server

Threat: 307 Redirect

Read more

307 Redirect

Threat: TLS Terminating Reverse Proxies

Read more

TLS Terminating Reverse Proxies

Threat: Client Impersonating Resource Owner

Read more

Client Impersonating Resource Owner

Threat: Clickjacking

Read more

Clickjacking

Other Security Considerations

Confidentiality of Requests

Server authentication

Always keep the resource owner informed

Credentials

Credential storage protection

Standard SQLi Countermeasures

No cleartext storage of credentials

Encryption of credentials

Use of asymmetric cryptography

Online attacks on secrets

Password policy

High entropy of secrets

Lock accounts

Tar pit

Usage of CAPTCHAs

Tokens (access, refresh, code)

Limit token scope

Expiration time

Short expiration time

Limit number of usages/ One time usage

Bind tokens to a particular resource server (Audience)

Use endpoint address as token audience

Audience and Token scopes

Bind token to client id

Signed tokens

Encryption of token content

Random token value with high entropy

Access tokens

Authorization Server

Authorization Codes

Automatic revocation of derived tokens if abuse is detected

Refresh tokens

Restricted issuance of refresh tokens

Binding of refresh token to client_id

Refresh Token Replacement

Refresh Token Revocation

Combine refresh token requests with user-provided secret

Device identification

Client authentication and authorization

Client_id only in combination with forced user consent

Client_id only in combination with redirect_uri

Validation of pre-registered redirect_uri

Client secret revocation

Use strong client authentication (e.g. client_assertion / client_token)

End-user authorization

Automatic processing of repeated authorizations requires client validation

Validation of client properties by end-user

Binding of authorization code to client_id

Binding of authorization code to redirect_uri

Client App Security

Do not store credentials in code or resources bundled with software packages

Standard web server protection measures (for config files and databases)

Store secrets in a secure storage

Utilize device lock to prevent unauthorized device access

Platform security measures

Resource Servers

Check Authorization headers

Check Authenticated requests

Check Signed requests

OAUTH2.0 Penetration Testing - High Quality Image

[*] Download picture