

The Most Common OAuth2 Vulnerability - homakov
http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html

======
cheald
This is important; while it's not really a general vulnerability, you could
run into a lot of trouble if someone's performing a targeted attack. I don't
think I'd ever really read anything in any consumer-facing OAuth2
documentation about the important of state, and given the breadth of sites
vulnerable to the issue, it seems like a lot of other people don't know about
it either.

Patching this in my Rails apps was easy; it's a trivial solution, but I'm
leaving it here to demonstrate that it's not a hard fix.

When generating the URL to redirect to for authorization:

    
    
      session["#{service}_oauth2_state"] = ActiveSupport::SecureRandom.urlsafe_base64(24)
    

Then, pass state as a param when generating my OAuth authorization URL.

When the authorizing endpoint returns:

    
    
        session_state = session["#{service}_oauth2_state"]
        if params[:state] != session_state or session_state.blank?
          render :text => "Unable to validate login state." and return
        end
    

It's worth noting that I did have to update Koala (the Facebook API library
we're using) to get arbitrary parameters passed through to
#url_for_oauth_code. Older versions had a hardcoded list of parameters, which
did not include state.

~~~
homakov
it's not hard to fix, agreed. at the same time it must be fixed in gems, not
by developers

~~~
peterhellberg
By gem developers that is :)

