Coupa logo

How to Identify OAuth2 Vulnerabilities and Mitigate Risks

OAuth2 Case Studies based on HackerOne Public Disclosure Reports
Even though OAuth2 has been the industry-standard authorization framework since it replaced OAuth1 in 2012, its many complexities have led to potential security issues. For security engineers, it's vital to understand what OAuth2 is, how it works, and how poor implementation can lead to vulnerabilities.

In this article, we'll highlight some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports with actual cases — and explain how to mitigate those.
 
What is OAuth2?
OAuth2 is a widely used framework for access delegation, which allows users to grant limited access to one application (client application) by requesting the resource of the users hosted in another application or website (resource application).

If you have some basic knowledge about OAuth2 but have never implemented OAuth2 in your application, the two diagrams below might help you to refresh the concepts of OAuth2 and the mechanism of how it works. The diagrams illustrate the workflow for two common OAuth2 grant types, authorization code grant (Figure 1) and the still-in-use but deemed insecure implicit grant (Figure 2).

OAuth2 itself is fundamentally complicated as it is designed to resolve the vital authentication part in many complex web environments (mobile app, web server, etc). Due to the complexity, many security engineers may not fully understand the power of OAuth2. As a consequence, we are observing many security issues caused by a misconfiguration or poor implementation of OAuth2. To make it worse, some exploitations against these OAuth2 misconfigurations are extremely simple and easy to launch.

 

Common OAuth2 Vulnerabilities from HackerOne’s Public Disclosure

Let’s take a look at some common attack vectors or vulnerabilities against OAuth2 by referring to HackerOne public disclosure reports. We hope the explanations of these vulnerabilities are clear by making reference to the actual exploitation disclosure. At the end of each of the following sections, you will also learn how to mitigate these vulnerabilities.

 

Vulnerability 1: Missing validation in redirect_uri leads to access token takeover

HackerOne Reports:

https://hackerone.com/reports/665651
https://hackerone.com/reports/405100

The redirect_uri parameter in the OAuth2 workflow is used by the authorization server as a location or address to deliver the access_token or auth_code by means of a browser redirect. In Figure 1, we described that the redirect_uri parameter is initialized by the client application as part of the request to the authorization server under step 2 when a web user clicks the login button. After the authorization server validates the credentials (step 6), it will send back the auth_token (or access_token for an implicit grant step 7 in Figure 2) as a parameter to the redirect_uri used in step 2.

If a malicious user could trigger the victim to send a request to the authorization server with a redirect_uri controlled by the attacker and the authorization server is NOT validating the redirect_uri, the access_token will be sent to the URI controlled by the attacker.

The case of stealing users’ OAuth tokens via redirect_uri is, unfortunately, a typical one, where the authorization server performs a poor validation on the redirect_uri and the attacker is able to bypass the validation with a malicious link they control.

 
Mitigation

Implement a robust redirect_uri validation on the authorization server by considering the following approach:

  1. Perform a match between client_id and report_uri to ensure the report_uri matches with the client_id stored in the authorization server. 
  2. Use a whitelist approach if the number of client applications is manageable.

 

Vulnerability 2: Missing state parameter validation leads to CSRF attack

HackerOne Reports:

https://hackerone.com/reports/111218
https://hackerone.com/reports/13555

In OAuth2 implementation, the state parameter (initialized under step 2) allows client applications to restore the previous state of the user. The state parameter preserves some state object set by the client in the authorization request and makes it available to the client in the response.

Here is the correct implementation of the state parameter:

  1. The client application initialized the request to the authorization server with a state parameter in the request URL (Step 2).
  2. The client application stores the state parameter value in the current session (Step 2).
  3. The authorization server sends the access_token back to the client application (Step 7 in Figure 2) together with a state parameter.
  4. Client application performs a match between the state stored in the current session and the state parameter sent back from the authorization server. If matching, the access_token will be consumed by the client application. Otherwise, it will be discarded so that it could prevent the CSRF attack.

However, since the state parameter is not required for a successful OAuth2 workflow, it is very often this parameter is omitted or ignored during OAuth2 implementation. Without validation on the state parameter, CSRF attack could be launched easily against the client application.

 

This HackerOne report is a very good example to explain how an attacker could attach their account to a different account under the client application due to the lack of the state parameter. Sometimes, even the state parameter is present in the callback request from the authorization server, but it is still possible the state parameter is not validated, leaving the application vulnerable to CSRF attack.

 

Mitigation

Ensure the state parameter is passed between requests and state validation is implemented so that an attacker could not attach their account to the victim’s account.

Vulnerability 3: Client_secret mistakenly disclosed to the public

HackerOne Report:

https://hackerone.com/reports/272824
https://hackerone.com/reports/397527

The client_secret is used by the client application to make a request to the authorization server to exchange the auth code to the access token (step 8 in Figure 1). The client_secret is a secret known only to the client application and the authorization server.

Some developers may accidentally disclose the client_secret to end users because the access_token retrieve request (step 8 in Figure 1) is mistakenly executed by some front-end JavaScript code rather than performed by the back-end channel.

In reference to this HackerOne Report about token disclosure, the client_secret is publicly exposed in the HTML page as the exchanging auth_code with access_token (Step 8 in Figure 1) process is executed by a piece of JavaScript code.

 
Mitigation

To avoid disclosing client_secret to the public, it is best for developers to understand the need of implementing OAuth2, as there are different OAuth2 options to adopt for different applications. If your client application has a back-end server, the client_secret should never be exposed to the public, as the interaction with the authorization server could be completed in a back-end channel. If your client application is a single-page web application or mobile app, you should choose a different OAuth2 type. For example, use the Authorization Code grant with PKCE instead.

 

Vulnerability 4: Pre-account takeover

HackerOne Report:

https://hackerone.com/reports/1074047

A pre-account takeover could occur when the following two conditions are met:

  1. The client application supports multiple authentication methods, using a login with a password and a third-party service (like Facebook or Google) as an OAuth authentication provider.
  2. Either the client application or the third-party service does not perform email verification during the signup process.

This HackerOne report details how a misconfigured OAuth can lead to pre-account takeover:

  1. Attacker creates an account with a victim’s email address and the attacker’s password before the victim has registered on the client application.
  2. The victim then logs in through a third-party service, like Google or Facebook.
  3. The victim performs some sensitive actions in the client application. The client application will save these actions, and it will probably use the email address as an identifier for its users in the database.
  4. Now, the attacker could log in as the victim and read the sensitive data added by the victim by using the victim’s email address and the attacker’s password created by step 1.
 
Mitigation

Perform email validation when creating a new user.

 

Vulnerability 5: OAuth2 access_token is leaked through referrer header

HackerOne Reports:

https://hackerone.com/reports/835437
https://hackerone.com/reports/787160
https://hackerone.com/reports/202781

One weak design of OAuth2 itself is that it passes the access_token in the URL for implicit grant type. Once you put sensitive data in a URI, you risk exposing this data to third-party applications. This applies to OAuth2 implementation as well.

In this HackerOne report about access_token smuggling, for example, the access_token was exposed to a third-party website controlled by the attacker after a chained redirection by taking advantage of the referrer header.

 
Mitigation

As this is a design issue of OAuth2, the easiest mitigation method would be strengthening the referrer header policy with <meta name="referrer" content="origin" />.

 

Vulnerability 6: OAuth2 login bypass due to lack of access_token validation

HackerOne Report:

https://hackerone.com/reports/245408

A lack of access_token validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password.

Once the authorization server sends the access_token back to the client application, client applications sometimes need to bind the access_token with a user identity so that it can store it as a session. The exploitation of this vulnerability happens when an attacker binds their access_token with any user identity and then impersonates that user without logging in.

In this HackerOne report, the security researcher was able to log in as any user just by supplying the victim’s email address only because the client application did not validate whether the access_token belongs to the correct owner.

 
Mitigation

Validation should be performed on the client side to check whether the user owns the access_token.

 

Summary

The OAuth2 framework is complicated and provides many flexibilities for implementation. However, due to this flexibility, the security of OAuth2 implementation is in the hands of the developers. With that said, developers with a strong security mindset can make implementation more secure; on the contrary, developers with less security training are likely to impose some security holes during OAuth2 implementation. For any organization, it’s vital to train and educate your developers with the latest security best practices to reduce risk during OAuth2 implementation.

At Coupa, our engineers are committed to following the latest OAuth2 security best practices to make sure our OAuth2 implementation is secure.

2024 Global Impact Week Wrap Up!

By Audree Hall December 20, 2024
What an incredible week we had! Thanks to the passion and dedication of our amazing Coupa family, we celebrated Global Impact Week like never before! With 13 countries participating and 38 local-led events, we exceeded last year’s participation with over 500 employees stepping up to make a positive change. We truly could not have done this without each and every one of you—thank you! Here are some of the highlights that made this week so special:

Best Practices for Social Selling

November 14, 2024
Q & A from our Sales Team

How Leadership Competencies Make Culture Thrive

November 1, 2024
Most people at Coupa say they love this company because of the great culture and joy of working with “The Village,” a term referring to our global workforce. This year, we are double-clicking on what behaviors make that culture thrive by creating nine “Leadership Competencies,” or ways we want to interact with each other regardless of your title, background, team, or length of time at Coupa.

From Growth to Impact: My Journey of Personal and Professional Transformation at Coupa

September 19, 2024
I am Maggie Mae Joy, Senior Director of Product Management, supporting our Source-to-Contract and Spend Analysis product teams. I’ve been at Coupa since August 2013, based in Port Saint Lucie, Florida. I started my career out of college as a consultant supporting the SAP implementation of a global automotive warranty system for one of the big three. Leveraging that consulting experience, I joined Coupa as a Solution Architect, supporting our customers and partners in implementing the Coupa platform before transitioning into a Product Management role. What I enjoy most about working at Coupa is the opportunity to use my time here as a professional and personal growth platform. Coming to Coupa with a background in systems implementation allowed me to hit the ground running in my first position as a Solution Architect. Those skills and a deep passion for improving the user experience helped me take my career in a different direction and join the product team. Through Coupa’s incredibly supportive culture, I found mentors & leadership training that enabled my development in product management. As I’ve transitioned between supporting different product areas over the past eight years, I’ve continued to be challenged to expand my knowledge, learn new skills, and connect with more of the Coupa community.

Growing at Coupa as an AI Trainer

August 27, 2024
Hello everyone, My name is Alex Moon, AI Trainer, at AI Center of Excellence in Foster City. I’ve been at Coupa since September 2022. I started my career as a Korean Knowledge Graph Curator, curating Korean language data to train Siri model, then went onto Tesla’s Autopilot team, organizing and annotating 3D image data to train Autopilot Neural Net. As an AI Trainer, the team and I analyze and organize Coupa’s $6T anonymized data to provide spending and saving insight, supplier recommendation, supplier diversity and track emission to meet the ESG goal, and fraudulent charge detection (Spend Guard). We are also working on output testing for LLM implementation to build Coupa’s Chatbot, Coupa Navi and Contract Intelligence platform. What I love the most about Coupa is working with extremely smart PM, Data Scientists, and Engineers to develop Coupa’s AI and GenAI product. I also really enjoy Coupa’s flexibility in working schedule and location as a remote-first company, and Coupa’s diverse team makes me feel at home while having ownership and responsibility of training our AI models.

My Coupa Experience

August 9, 2024
In 2021, I joined Coupa as a dual student pursuing my International Business Bachelor’s degree. In my application process, Coupa stood out as the best option for many reasons: its international presence, with offices spread across different countries; its workforce, which is composed of people from all over the world, creating an amazingly diverse and open work environment; and finally, I recognized in Coupa many opportunities for both professional and personal growth and learning. Upon joining the company, I discovered that my impressions were accurate, and the welcoming and friendly environment I had anticipated were in fact real. As part of the dual study program, I rotated through various departments within the organization, including sales, digital marketing, and HR. Each of them showed me a different perspective into Coupa’s operations; I learnt their processes and took on responsibilities myself, which allowed me to develop several skills. This valuable growth was made possible through the guidance and support of many talented colleagues, who trained me during my time in each department.

Connecting and learning at Coupa Camp Bogota

June 25, 2024
In February, many of my colleagues in Bogotá and I had the chance to participate in the 1.5-day in-person experience program Coupa Camp. This program, led by Matt Dack, is designed for employees who have been in the company for a few months or less, making it a valuable step in the onboarding process and, for some of us, the last one. Why Coupa Camp At Coupa Camp, we didn't just learn about our company and its values; we also had the opportunity to forge deeper connections with our colleagues. Whether working in the office, hybrid, or remote like myself, the camp provided a perfect setting for us to interact and bond as Coupanians, fostering a sense of belonging and camaraderie. Coupa Camp was about learning about our company and each other and embarking on a journey of self-discovery and personal growth. Such activities can be daunting for introverted types like me, but Matt Dack created a safe and comfortable environment encouraging everyone to participate and share their unique perspectives. This emphasis on individual strengths and the value of diverse backgrounds was genuinely inspiring. First-Day Activities On the first day, we learned about our core values, culture, and company vision and the impact each of us makes on its success and that of our customers. The sessions were dynamic and exciting, with presentations, activities, and tasks that taught us the importance of listening and learning from everyone we work with, from colleagues to clients. We also gained a solid understanding of tools and resources to help us in our daily routines. We collaborated with people from different areas, hearing and learning from their voices about the aspects of their roles and departments. This experience was insightful, as we recognized how each of our roles is meaningful and how each of us contributes to Coupa’s success.

My Journey at Coupa

June 25, 2024
Hi all! My name is Ralph Barsi, and I’m a Sr. Talent Acquisition Coordinator here at Coupa. I began my journey as an intern with the Talent Acquisition team in the summer of 2021, an experience that remains one of the most rewarding I’ve had thus far in my career. Misconceptions Before Starting When I applied for the Coupa internship program, I did so with confidence because I was already familiar with the company name, and it was local to my home in East Bay. As a college student, I was initially concerned about working in the corporate world since it seemed so different from school and appeared cold, intimidating, uncompromising, and unwelcoming from the outside. However, I knew I had the required skills and capability to work for a prominent company like Coupa, and I was eager to prove myself and gain valuable experience. My Experience in the Village My experience at Coupa exceeded my expectations. From the first day, I felt comfortable and valued as a team member. My supporting manager guided me through the onboarding process and continued to check in regularly throughout the summer. I worked on meaningful projects and could see the impact of my actions, which gave me the confidence that I could contribute significantly to a large company like this. My well-rounded projects exposed me to several facets of Talent Acquisition, setting me up for success during and after my internship. The highlight of my summer was analyzing our job descriptions for implicit gender biases using a bias decoder program and presenting my findings to leadership. I owned the project myself from beginning to end and was trusted to articulate my findings to senior leadership. After Graduation After finishing school in January 2022, I was ecstatic to have the opportunity to return to Coupa as a full-time employee! I’m still here over two years later, and I can confidently say that my internship built a strong foundation for my career. I highly recommend the Coupa internship program to anyone considering it! You’ll meet many amazing, hardworking people and get opportunities to contribute immediately to the Village! It was a fantastic experience to see the impact of my work, and I felt proud to have contributed to the company's success. Overall, my internship experience at Coupa was invaluable and gave me the confidence to succeed in the corporate world.

Beyond Doubt: My Coupa Internship Journey

June 20, 2024
Embarking on an internship can be a transformative journey filled with learning and growth, but also presents unique challenges. In this blog post, I will share my experiences as a Talent Operations Intern at Coupa, focusing on my challenges and how I overcame them. This narrative will be particularly relevant to interns navigating similar paths. These experiences are not only about personal growth but also about making substantial contributions to your team and advancing in your career Embracing the internship challenge When I started interviewing for Coupa, I was excited and nervous because I didn't know what to expect. I was enrolled in a Master's in HRM at the time and wasn't sure if I could manage both work and studies simultaneously. However, I kept going, and landing the internship was huge. Coming from Pakistan and being the first one amongst my classmates to land an internship seemed enormous to me. I knew my passion for HR and was ready to invest my time and effort into learning about the Talent Operations Intern role and its ins and outs. Back home, my parents were overjoyed seeing me managing work and studies in a foreign country alone; they couldn’t have been more proud. Without second thoughts, I accepted the opportunity and had the chance to work with amazing, talented people who were so supportive and kind. I couldn’t have felt luckier.

Interviewing at Coupa - What to Expect and How to Prepare

January 4, 2024
Coupa's Head of Talent in EMEA discusses how to be successful in interviews with Coupa's Leaders.
More Posts
Share by: