BCP_4_17

Authorization Server Redirecting to Phishing Site

An attacker could utilize a correctly registered redirect URI to perform phishing attacks. The authorization server SHOULD only automatically redirect the user agent if it trusts the redirect URI. If the URI is not trusted, the authorization server MAY inform the user and rely on the user to make the correct decision.

OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.17)

Mitigations

This threat is considered fully mitigated if all the test cases from the following test set succeed.

The impact factor is a measure that indicates how important a given countermeasure is towards mitigating a threat.

Back to the threat overview