Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
vk oauth audit

really, no single mention about 'state'

http://vk.com/developers.php?oid=-1&p=%D0%90%D0%B2%D1%82%D0%BE%D1%80%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F_%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2 http://vk.com/developers.php?oid=-1&p=%D0%94%D0%B8%D0%B0%D0%BB%D0%BE%D0%B3_%D0%B0%D0%B2%D1%82%D0%BE%D1%80%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B8_OAuth

http://homakov.blogspot.cz/2012/07/saferweb-most-common-oauth2.html attack is possible

redirect_uri should be required to obtain access_token.

Для получения access_token необходимо выполнить запрос с Вашего сервера на URL https://oauth.vk.com/access_token с передачей параметра code и секретных данных приложения: client_id и client_secret. Секретный ключ приложения client_secret может быть получен в разделе редактирования приложения и никогда не должен содержаться в коде клиентского приложения. С подробным списком параметров можно ознакомиться на странице описания получения access_token.

'code' leaks - when sitedomain.com/REFERER_LEAK path is sent as redirect_uri, attacker owns code and easily uses it.

   In order to prevent such an attack, the authorization server MUST
   ensure that the redirection URI used to obtain the authorization code
   is identical to the redirection URI provided when exchanging the
   authorization code for an access token.  The authorization server
   MUST require public clients and SHOULD require confidential clients
   to register their redirection URIs.  If a redirection URI is provided
   in the request, the authorization server MUST validate it against the
   registered value.

callback must be strictly sanitized

https://api.vk.com/method/getProfiles?uid=66748&access_token=533bacf01e11f55b536a565b57531ac114461ae8736d6506a3&callback=alert(document.cookie) it's regular mistake for response_type=token applications, they don't sanitize document.hash and pass it in <script src>. XSS is possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment