security auth_error ai_generated true

OAuth2 state parameter reuse allows CSRF via replay attack

ID: security/oauth2-state-parameter-replay-attack

Also available as: JSON · Markdown · 中文
88%Fix Rate
83%Confidence
1Evidence
2024-01-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
OAuth2 2.0 active
Spring Security OAuth2 5.8.0 active
Passport.js 0.7.0 active

Root Cause

When the OAuth2 state parameter is not bound to a specific user session or is reused across multiple authorization requests, an attacker can replay a captured authorization response to bind a victim's account to the attacker's session.

generic

中文

当OAuth2 state参数未绑定到特定用户会话或跨多个授权请求重用时,攻击者可以重放捕获的授权响应,将受害者的账户绑定到攻击者的会话。

Official Documentation

https://datatracker.ietf.org/doc/html/rfc6749#section-10.12

Workarounds

  1. 98% success Generate a cryptographically random state value per authorization request, store it in the user session, and validate it on callback. Example in Node.js: const state = crypto.randomBytes(16).toString('hex'); req.session.oauthState = state; res.redirect(`https://provider/authorize?response_type=code&client_id=...&state=${state}`); 
    Generate a cryptographically random state value per authorization request, store it in the user session, and validate it on callback. Example in Node.js: const state = crypto.randomBytes(16).toString('hex'); req.session.oauthState = state; res.redirect(`https://provider/authorize?response_type=code&client_id=...&state=${state}`);
  2. 85% success Use a nonce-like mechanism where state includes a timestamp and user ID, signed with a server secret, to prevent replay. 
    Use a nonce-like mechanism where state includes a timestamp and user ID, signed with a server secret, to prevent replay.

中文步骤

  1. 每次授权请求生成加密随机的state参数,存储在用户会话中,并在回调时验证。Node.js示例:const state = crypto.randomBytes(16).toString('hex'); req.session.oauthState = state; res.redirect(`https://provider/authorize?response_type=code&client_id=...&state=${state}`);
  2. 使用类似nonce的机制,state包含时间戳和用户ID,并用服务器密钥签名,以防止重放。

Dead Ends

Common approaches that don't work:

  1. Using a static state value for all users 100% fail

    A static state is predictable and can be easily forged by an attacker; it doesn't provide CSRF protection.

  2. Generating state but not storing it in the session 95% fail

    Without session binding, the state cannot be verified on callback; any state value is accepted, enabling replay.