Coupa logo

How to Identify OAuth2 Vulnerabilities and Mitigate Risks

OAuth2 Case Studies based on HackerOne Public Disclosure Reports
Even though OAuth2 has been the industry-standard authorization framework since it replaced OAuth1 in 2012, its many complexities have led to potential security issues. For security engineers, it's vital to understand what OAuth2 is, how it works, and how poor implementation can lead to vulnerabilities.

In this article, we'll highlight some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports with actual cases — and explain how to mitigate those.
 
What is OAuth2?
OAuth2 is a widely used framework for access delegation, which allows users to grant limited access to one application (client application) by requesting the resource of the users hosted in another application or website (resource application).

If you have some basic knowledge about OAuth2 but have never implemented OAuth2 in your application, the two diagrams below might help you to refresh the concepts of OAuth2 and the mechanism of how it works. The diagrams illustrate the workflow for two common OAuth2 grant types, authorization code grant (Figure 1) and the still-in-use but deemed insecure implicit grant (Figure 2).

OAuth2 itself is fundamentally complicated as it is designed to resolve the vital authentication part in many complex web environments (mobile app, web server, etc). Due to the complexity, many security engineers may not fully understand the power of OAuth2. As a consequence, we are observing many security issues caused by a misconfiguration or poor implementation of OAuth2. To make it worse, some exploitations against these OAuth2 misconfigurations are extremely simple and easy to launch.

 

Common OAuth2 Vulnerabilities from HackerOne’s Public Disclosure

Let’s take a look at some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports. We hope the explanations of these vulnerabilities are clear by making reference to the actual exploitation disclosure. At the end of each of the following sections, you will also learn how to mitigate these vulnerabilities.

 

Vulnerability 1: Missing validation in redirect_uri leads to access token takeover

HackerOne Reports:

https://hackerone.com/reports/665651
https://hackerone.com/reports/405100

The redirect_uri parameter in the OAuth2 workflow is used by the authorization server as a location or address to deliver the access_token or auth_code by means of a browser redirect. In Figure 1, we described that the redirect_uri parameter is initialized by the client application as part of the request to the authorization server under step 2 when a web user clicks the login button. After the authorization server validates the credentials (step 6), it will send back the auth_token (or access_token for an implicit grant step 7 in Figure 2) as a parameter to the redirect_uri used in step 2.

If a malicious user could trigger the victim to send a request to the authorization server with a redirect_uri controlled by the attacker and the authorization server is NOT validating the redirect_uri, the access_token will be sent to the URI controlled by the attacker.

The case of stealing users’ OAuth tokens via redirect_uri is, unfortunately, a typical one, where the authorization server performs a poor validation on the redirect_uri and the attacker is able to bypass the validation with a malicious link they control.

 
Mitigation

Implement a robust redirect_uri validation on the authorization server by considering the following approach:

  1. Perform a match between client_id and report_uri to ensure the report_uri matches with the client_id stored in the authorization server. 
  2. Use a whitelist approach if the number of client applications is manageable.

 

Vulnerability 2: Missing state parameter validation leads to CSRF attack

HackerOne Reports:

https://hackerone.com/reports/111218
https://hackerone.com/reports/13555

In OAuth2 implementation, the state parameter (initialized under step 2) allows client applications to restore the previous state of the user. The state parameter preserves some state object set by the client in the authorization request and makes it available to the client in the response.

Here is the correct implementation of the state parameter:

  1. The client application initialized the request to the authorization server with a state parameter in the request URL (Step 2).
  2. The client application stores the state parameter value in the current session (Step 2).
  3. The authorization server sends the access_token back to the client application (Step 7 in Figure 2) together with a state parameter.
  4. Client application performs a match between the state stored in the current session and the state parameter sent back from the authorization server. If matching, the access_token will be consumed by the client application. Otherwise, it will be discarded so that it could prevent the CSRF attack.

However, since the state parameter is not required for a successful OAuth2 workflow, it is very often this parameter is omitted or ignored during OAuth2 implementation. Without validation on the state parameter, CSRF attack could be launched easily against the client application.

 

This HackerOne report is a very good example to explain how an attacker could attach their account to a different account under the client application due to the lack of the state parameter. Sometimes, even the state parameter is present in the callback request from the authorization server, but it is still possible the state parameter is not validated, leaving the application vulnerable to CSRF attack.

 

Mitigation

Ensure the state parameter is passed between requests and state validation is implemented so that an attacker could not attach their account to the victim’s account.

Vulnerability 3: Client_secret mistakenly disclosed to the public

HackerOne Report:

https://hackerone.com/reports/272824
https://hackerone.com/reports/397527

The client_secret is used by the client application to make a request to the authorization server to exchange the auth code to the access token (step 8 in Figure 1). The client_secret is a secret known only to the client application and the authorization server.

Some developers may accidentally disclose the client_secret to end users because the access_token retrieve request (step 8 in Figure 1) is mistakenly executed by some front-end JavaScript code rather than performed by the back-end channel.

In reference to this HackerOne Report about token disclosure, the client_secret is publicly exposed in the HTML page as the exchanging auth_code with access_token (Step 8 in Figure 1) process is executed by a piece of JavaScript code.

 
Mitigation

To avoid disclosing client_secret to the public, it is best for developers to understand the need of implementing OAuth2, as there are different OAuth2 options to adopt for different applications. If your client application has a back-end server, the client_secret should never be exposed to the public, as the interaction with the authorization server could be completed in a back-end channel. If your client application is a single-page web application or mobile app, you should choose a different OAuth2 type. For example, use the Authorization Code grant with PKCE instead.

 

Vulnerability 4: Pre-account takeover

HackerOne Report:

https://hackerone.com/reports/1074047

A pre-account takeover could occur when the following two conditions are met:

  1. The client application supports multiple authentication methods, using a login with a password and a third-party service (like Facebook or Google) as an OAuth authentication provider.
  2. Either the client application or the third-party service does not perform email verification during the signup process.

This HackerOne report details how a misconfigured OAuth can lead to pre-account takeover:

  1. Attacker creates an account with a victim’s email address and the attacker’s password before the victim has registered on the client application.
  2. The victim then logs in through a third-party service, like Google or Facebook.
  3. The victim performs some sensitive actions in the client application. The client application will save these actions, and it will probably use the email address as an identifier for its users in the database.
  4. Now, the attacker could log in as the victim and read the sensitive data added by the victim by using the victim’s email address and the attacker’s password created by step 1.
 
Mitigation

Perform email validation when creating a new user.

 

Vulnerability 5: OAuth2 access_token is leaked through referrer header

HackerOne Reports:

https://hackerone.com/reports/835437
https://hackerone.com/reports/787160
https://hackerone.com/reports/202781

One weak design of OAuth2 itself is that it passes the access_token in the URL for implicit grant type. Once you put sensitive data in a URI, you risk exposing this data to third-party applications. This applies to OAuth2 implementation as well.

In this HackerOne report about access_token smuggling, for example, the access_token was exposed to a third-party website controlled by the attacker after a chained redirection by taking advantage of the referrer header.

 
Mitigation

As this is a design issue of OAuth2, the easiest mitigation method would be strengthening the referrer header policy with <meta name="referrer" content="origin" />.

 

Vulnerability 6: OAuth2 login bypass due to lack of access_token validation

HackerOne Report:

https://hackerone.com/reports/245408

A lack of access_token validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password.

Once the authorization server sends the access_token back to the client application, client applications sometimes need to bind the access_token with a user identity so that it can store it as a session. The exploitation of this vulnerability happens when an attacker binds their access_token with any user identity and then impersonates that user without logging in.

In this HackerOne report, the security researcher was able to log in as any user just by supplying the victim’s email address only because the client application did not validate whether the access_token belongs to the correct owner.

 
Mitigation

Validation should be performed on the client side to check whether the user owns the access_token.

 

Summary

The OAuth2 framework is complicated and provides many flexibilities for implementation. However, due to this flexibility, the security of OAuth2 implementation is in the hands of the developers. With that said, developers with a strong security mindset can make implementation more secure; on the contrary, developers with less security training are likely to impose some security holes during OAuth2 implementation. For any organization, it’s vital to train and educate your developers with the latest security best practices to reduce risk during OAuth2 implementation.

At Coupa, our engineers are committed to following the latest OAuth2 security best practices to make sure our OAuth2 implementation is secure.

40 Hours of Impact: Our Journey of Giving Back

By Nora Clark February 13, 2025
There are many great benefits to working at Coupa, and one that truly makes a difference is our robust Volunteer Time Off. While many companies and organizations encourage employees to take time off to volunteer, offering at least 8 hours a year, Coupa provides a generous 40 hours - a whole week. This extended time allows our employees to make a significant impact in their communities, and many Coupanians across the globe are proud of the difference they are making. Here’s why they love this robust benefit and how they give back:

Evolution of the Pyramid with the Three R's

February 11, 2025
Coupa Engineering has reaped tremendous benefits from integrating automation into the testing strategy, resulting in reduced effort and timelines for delivering a higher-quality product. These advantages stem from Coupa's top-down transformation approach based on the “Three R” pillars of Reliability, Repeatability & Reusability, thereby increasing quality, productivity & cost optimization. The primary benefits of automation, including test reusability, expanded test coverage, and earlier feedback and bug detection, are driving engineers and organizations to shift away from manual efforts. Automation surpasses manual testing by simulating simultaneous users and requests on applications, including calls from various platforms and devices, which is nearly impossible to achieve manually. However, this transition is not an overnight task, as engineers need to overcome numerous challenges, from designing a strategy to acquiring the necessary knowledge, skillsets, and tools. Coupa’s Top-Down Transformation Approach Coupa Quality Engineering took this challenge and evolved a transformation approach based on the “Three R” pillars . As depicted below, with each transformation in our Top-Down Approach, we encapsulate benefits of the previous stage along with additional benefits derived from the transition stage, thereby making it a more and more effective and efficient approach to follow-on.

Embracing Opportunity: Pivot to HR

February 4, 2025
Steve Taylor, VP of Inclusion and Impact, shares his inspiring journey from program developer to human resources. “It’s been a tapestry of experiences,” he says. Read on. I started my career as a program developer, working closely with our customers. I had the opportunity to collaborate with various clients, including Coupa, which sparked my passion for customer interaction. I enjoyed what I did immensely; however, as time passed, I felt a shift in my journey calling me toward a new challenge—a pivot to the support side of our organization. The turning point in my career came unexpectedly. During a casual encounter, I met Susan Toyhama, our Chief Human Resources Officer, and we started conversing while preparing for an upcoming Martin Luther King Jr. Day presentation. That conversation opened up new ideas and perspectives on what inclusion and diversity genuinely mean to me. My passion became clear: connecting with people, understanding different cultures, and championing their stories. Soon after, an opportunity arose for a Diversity and Inclusion (D&I) expert role. My curiosity was piqued, and rather than jumping in headfirst, I sought the counsel of my trusted circle—my wife, friends, family, and mentors. However, a conversation with a general, who has become a dear friend, ultimately shaped my decision. He encouraged me by saying, “This is the perfect job for you. You have a natural ability with people and communication. You can’t pass this opportunity up.” For three months, I weighed the decision, ultimately realizing that it was my duty—my requirement as a human—to help my brothers and sisters grow and learn. The only thing holding me back was the misconception that HR wasn’t for me. I had my doubts, but eventually, I understood that this role was about more than just policies and procedures; it was about connecting with individuals and making a difference in their lives. Although navigating this new terrain felt natural and unnatural at times, it was clear that my purpose aligns with the job: talking to people, listening to their stories, and fostering an inclusive environment where everyone feels valued. It is an honor and a privilege to have the platform to engage with diverse perspectives and to create a positive impact in our organization. Ultimately, my journey has taught me that embracing opportunity often requires stepping outside your comfort zone. My passion lies in the world of inclusion and impact, and I look forward to the road ahead, filled with meaningful conversations and lasting connections.

Assembling the Avengers™: How PM, Development, QE, and UX Save the Day for Product Success

January 30, 2025
In the world of product development, success isn’t the result of one hero’s solo mission. It’s about assembling a team of specialists—each with unique superpowers—who unite to tackle challenges, defend against bugs, and deliver experiences that delight users. Think of it as forming your very own Avengers™ team, where Product Management (PM), Development, Quality Engineering (QE), and User Experience ........(UX) team up to save the day

2024 Global Impact Week Wrap Up!

By Audree Hall December 20, 2024
What an incredible week we had! Thanks to the passion and dedication of our amazing Coupa family, we celebrated Global Impact Week like never before! With 13 countries participating and 38 local-led events, we exceeded last year’s participation with over 500 employees stepping up to make a positive change. We truly could not have done this without each and every one of you—thank you! Here are some of the highlights that made this week so special:

Best Practices for Social Selling

November 14, 2024
Q & A from our Sales Team

How Leadership Competencies Make Culture Thrive

November 1, 2024
Most people at Coupa say they love this company because of the great culture and joy of working with “The Village,” a term referring to our global workforce. This year, we are double-clicking on what behaviors make that culture thrive by creating nine “Leadership Competencies,” or ways we want to interact with each other regardless of your title, background, team, or length of time at Coupa.

From Growth to Impact: My Journey of Personal and Professional Transformation at Coupa

September 19, 2024
I am Maggie Mae Joy, Senior Director of Product Management, supporting our Source-to-Contract and Spend Analysis product teams. I’ve been at Coupa since August 2013, based in Port Saint Lucie, Florida. I started my career out of college as a consultant supporting the SAP implementation of a global automotive warranty system for one of the big three. Leveraging that consulting experience, I joined Coupa as a Solution Architect, supporting our customers and partners in implementing the Coupa platform before transitioning into a Product Management role. What I enjoy most about working at Coupa is the opportunity to use my time here as a professional and personal growth platform. Coming to Coupa with a background in systems implementation allowed me to hit the ground running in my first position as a Solution Architect. Those skills and a deep passion for improving the user experience helped me take my career in a different direction and join the product team. Through Coupa’s incredibly supportive culture, I found mentors & leadership training that enabled my development in product management. As I’ve transitioned between supporting different product areas over the past eight years, I’ve continued to be challenged to expand my knowledge, learn new skills, and connect with more of the Coupa community.

Growing at Coupa as an AI Trainer

August 27, 2024
Hello everyone, My name is Alex Moon, AI Trainer, at AI Center of Excellence in Foster City. I’ve been at Coupa since September 2022. I started my career as a Korean Knowledge Graph Curator, curating Korean language data to train Siri model, then went onto Tesla’s Autopilot team, organizing and annotating 3D image data to train Autopilot Neural Net. As an AI Trainer, the team and I analyze and organize Coupa’s $6T anonymized data to provide spending and saving insight, supplier recommendation, supplier diversity and track emission to meet the ESG goal, and fraudulent charge detection (Spend Guard). We are also working on output testing for LLM implementation to build Coupa’s Chatbot, Coupa Navi and Contract Intelligence platform. What I love the most about Coupa is working with extremely smart PM, Data Scientists, and Engineers to develop Coupa’s AI and GenAI product. I also really enjoy Coupa’s flexibility in working schedule and location as a remote-first company, and Coupa’s diverse team makes me feel at home while having ownership and responsibility of training our AI models.

My Coupa Experience

August 9, 2024
In 2021, I joined Coupa as a dual student pursuing my International Business Bachelor’s degree. In my application process, Coupa stood out as the best option for many reasons: its international presence, with offices spread across different countries; its workforce, which is composed of people from all over the world, creating an amazingly diverse and open work environment; and finally, I recognized in Coupa many opportunities for both professional and personal growth and learning. Upon joining the company, I discovered that my impressions were accurate, and the welcoming and friendly environment I had anticipated were in fact real. As part of the dual study program, I rotated through various departments within the organization, including sales, digital marketing, and HR. Each of them showed me a different perspective into Coupa’s operations; I learnt their processes and took on responsibilities myself, which allowed me to develop several skills. This valuable growth was made possible through the guidance and support of many talented colleagues, who trained me during my time in each department.
More Posts
Share by: