OAuth Flow Manipulation
OAuth Flow Manipulation occurs when attackers exploit weaknesses in OAuth authentication implementations to gain unauthorized access to systems. During the Gain Access phase, attackers target vulnerabilities in OAuth flows by intercepting authorization codes, manipulating redirect URIs, performing token substitution, or exploiting improper state parameter validation. By interfering with the OAuth handshake between the client application, authorization server, and resource server, attackers can bypass authentication controls, obtain valid access tokens, and ultimately assume legitimate user identities. Common attack vectors include open redirectors, insufficient client verification, token leakage through referrer headers, and cross-site request forgery attacks against authorization endpoints. This sub-technique is particularly dangerous as it exploits trusted authentication frameworks while potentially leaving minimal evidence of compromise in security logs.
Mitigations
| ID |
Mitigation |
Description |
| M1032 |
Multi-Factor Authentication |
Require MFA or signed JWT proof-of-key exchange so possession of a stolen OAuth code alone is insufficient. |
| M1054 |
Software Configuration |
Enforce strict redirect_uri whitelists and verify state/nonce parameters server-side. |
| M1049 |
Audit |
Continuously audit OAuth client configs for open redirects or wildcard redirect URIs. |
Detection
| ID |
Data Source |
Detection |
| DS0015 |
Application Log |
Alert on redirect_uri mismatches, repeated authorization requests with varying state but identical code, or high failure rates in token exchange. |
| DS0029 |
Network Traffic Content |
Inspect HTTP traffic to auth endpoints for open-redirect patterns or codes sent to unregistered domains, correlated with rapid token replay. |
| DS0002 |
User Account Authentication |
Detect unusual OAuth logins where the same user ID authenticates from distinct IPs within seconds—a sign of intercepted code usage. |