Add new technique: OAuth token leakage

[tkal]

Adding a highly used technique when attacking SaaS application that implement OAuth.

[jukelennings]

Hi @tkal, thanks so much for the submission!

One thing we have been focusing on is reusable attack techniques over patchable vulnerability descriptions. However, that can be as simple as the name for the technique. I'm thinking perhaps "Hijack OAuth redirect URIs" might be a good substitute for a name in that case, what do you think?

Second question is do you have any current valid examples or well documented historical examples? We don't always have an example for everything but it's great to have them when we can.

[jacques-]

This is awesome! Agree on the name, perhaps ""Hijack OAuth flows" to keep it simple, leakage makes it sound passive.

[tkal]

I agree that "Hijack OAuth flows" seems more appropriate for the name! As for the examples, I can add the below disclosed bug bounty reports and maybe add more references from PortSwigger. What do you think?

• HackerOne - OAuth redirect_uri bypass using IDN homograph attack resulting in user's access token leakage
• HackerOne - Stealing Users OAuth authorization code via redirect_uri
• PortSwigger - OAuth 2.0 authentication vulnerabilities
• PortSwigger - Hidden OAuth attack vectors

[jukelennings]

Yeah, those look like good examples. I think this is one technique where we are unlikely to have a current example we can show a walkthrough example for so good historical examples like that are the next best thing.