BCP_4_1_1

Redirect URI Validation Attacks on Authorization Code Grant

Some authorization servers allow clients to register redirect URI patterns instead of complete redirect URIs. This approach turned out to be more complex to implement and more error prone to manage than exact redirect URI matching. Several successful attacks exploiting flaws in the pattern matching implementation or concrete configurations have been observed in the wild.

OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.1.1)

Mitigations

This threat is considered fully mitigated if all the test cases from one of the following test sets succeed.

The impact factor is a measure that indicates how important a given countermeasure is towards mitigating a threat.

Back to the threat overview