An Offensive Guide to the OAuth 2.0 Authorization Code Grant

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.nccgroup.com/research-blog/an-offensive-guide-to-the-authorization-code-grant/
• Blog Title: An Offensive Guide to the OAuth 2.0 Authorization Code Grant
• Suggested Section: Pentesting Web / OAuth to Account takeover

🎯 Content Summary

This blog is a hands-on offensive guide to attacking OAuth 2.0 Authorization Code grant flows. It assumes the standard OAuth 2.0 components:

• Resource Owner (“user”): grants access to their account/data.
• Resource Server (“API”): hosts the protected resources.
• Client (“application”): wants to access the Resource Server on behalf of the user.
• Authorization Server (“IdP”): issues authorization c...

  🔧 Technical Details

  CSRF and account linking via broken state
  Treat the OAuth state parameter as a mandatory CSRF token: generate a cryptographically random value per browser session, store it in a browser‑only location (cookie/local storage), send it in the authorization request, and verify it on return. Exploitation abstracts to: an attacker completes their own OAuth flow, captures but does not send the final request containing their code, then forces a victim’s browser to send that exact request. If state is missing, optional, predictable, unvalidated, or attacker‑fixable, the Client accepts the request and links the victim’s local account to the attacker’s identity at the IdP, enabling account takeover or persistent unauthorized account association.

  
  

  Authorization code replay via weak code semantics
  Authorization codes must be short‑lived, single‑use, and replay‑sensitive. In any OA...

  🤖 Agent Actions

  Summary:

  • Expanded the oauth-to-account-takeover.md guidance with actionable testing checklists for state replay/CSRF, hardened coverage on redirect_uri validation failures, and a deeper explanation of client-secret exposure in public/native apps along with PKCE expectations.
  • Added detailed guidance for assessing Authorization Code lifetime/replay behavior, broader access-token leakage vectors, and introduced a dedicated section on clickjacking OAuth consent dialogs (including mitigation headers and NCC Group’s PoC tooling).
  • Updated the references list to include NCC Group’s “An Offensive Guide to the OAuth 2.0 Authorization Code Grant.”

  Tests: Not run (not applicable for documentation changes).

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.nccgroup.com/research-blog/an-offensive-guide-to-the-authorization-code-grant/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / OAuth to Account takeover".

Repository Maintenance:

• MD Files Formatting: 920 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0