Module 10 — OAuth2 / OIDC Misconfiguration¶
Icon: 
Shield | Colour: Orange
Overview¶
Tests OAuth 2.0 and OpenID Connect implementations for common misconfigurations that can lead to account takeover, token theft, and authorisation bypass. This module maps to SOC 2 Trust Services Criteria CC6.1 (logical access security).
How It Works¶
1. OIDC Discovery Analysis¶
Fetches /.well-known/openid-configuration and checks for:
- Weak signing algorithms (e.g.
HS256instead ofRS256) - Implicit or hybrid grants still enabled
- Open or missing
registration_endpoint - Missing PKCE support (
code_challenge_methods_supported)
2. Redirect URI Validation Bypass (CWE-601)¶
Tests the authorization endpoint with 20+ payloads designed to bypass redirect_uri validation:
- Open redirects (
https://evil.com,//evil.com) - Subdomain tricks (
https://evil.example.com) - Path traversal (
/callback/../../../evil) - URL-encoded bypasses (
%2F%2Fevil.com) - Null-byte and fragment injection
3. Missing State Parameter — CSRF (CWE-346)¶
Sends an authorization request without the state parameter and checks whether the server still issues an authorization code, indicating CSRF protection is absent.
4. PKCE Enforcement¶
Initiates an authorization code flow without a code_challenge to verify the server rejects requests that omit PKCE (RFC 7636).
5. Token Leakage via Referrer Headers¶
Inspects HTTP responses from the authorization endpoint for the Referrer-Policy header. A missing or permissive policy (e.g. unsafe-url, no-referrer-when-downgrade) may leak tokens to third-party sites through the Referer header.
6. Authorization Code Reuse¶
If an authorization_code is provided in the scan configuration, the module attempts to exchange it twice. A compliant server must reject the second attempt (RFC 6749 §4.1.2).
Configuration¶
When you select OAuth2/OIDC as a scan module, an additional configuration panel appears. Click Configure OAuth Parameters to open the settings modal.
| Parameter | Required | Description |
|---|---|---|
| Authorization Endpoint | No | The OAuth authorization URL (e.g. https://example.com/oauth/authorize). Auto-discovered from OIDC if omitted. |
| Token Endpoint | No | The OAuth token URL (e.g. https://example.com/oauth/token). Auto-discovered from OIDC if omitted. |
| Client ID | No | A valid OAuth client ID for your application |
| Client Secret | No | The corresponding client secret (stored ephemerally) |
| Redirect URI | No | A registered redirect URI for the client |
| Scope | No | OAuth scopes to request (e.g. openid profile email) |
| Authorization Code | No | A fresh, unused authorization code for code-reuse testing |
Auto-Discovery
If you omit the authorization and token endpoints, the module attempts to discover them automatically from /.well-known/openid-configuration. Providing them explicitly produces the most thorough results.
Ephemeral Storage
All OAuth parameters are stored temporarily in Redis during the scan and never persisted to the database. They are automatically deleted when the scan completes.
Expected Findings¶
| Finding | Severity |
|---|---|
| Redirect URI validation bypass (open redirect) | Critical |
| Authorization code reuse accepted | High |
Missing state parameter accepted (CSRF) |
High |
| PKCE not enforced | High |
| Weak signing algorithm in OIDC discovery | Medium |
| Implicit/hybrid grant enabled | Medium |
| Open client registration endpoint | Medium |
| Missing PKCE support in discovery | Medium |
Missing or permissive Referrer-Policy |
Medium |
| Token leakage via referrer | Medium |
Related CWEs¶
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- CWE-346: Origin Validation Error
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-613: Insufficient Session Expiration
- CWE-524: Use of Cache that Contains Sensitive Information
Compliance Mapping¶
| Framework | Control |
|---|---|
| SOC 2 | CC6.1 — Logical and Physical Access Controls |
| OWASP Top 10 | A07:2021 — Identification and Authentication Failures |
| OWASP API Security | API2:2023 — Broken Authentication |
Best Results
For the most comprehensive test, provide a Client ID, Client Secret, and a fresh Authorization Code. Without these, the module still runs discovery-based and redirect-based tests but cannot verify code reuse or PKCE enforcement end-to-end.