W-OAUTH-MISCONFIGCredential Access

OAuth — redirect_uri Misconfig

Server accepts a wildcard / partial-match / open redirect-uri — steal the authorization code from the callback.

§ Where this technique fits

W-OAUTH-MISCONFIG is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.

§ Dossiers chaining this technique

OAuth redirect_uri misconfig → account takeover
Provider accepts loose redirect_uri matching (wildcard, partial, open-redirect chain). Steal the authorization code by redirecting it through an attacker host.
step 2 / 8
iOS URL scheme hijack → OAuth code theft
Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.
step 5 / 6

§ What commonly comes next

01
Use Alternate Authentication Material
T1550 · Lateral Movement
seen 2×
02
Open Redirect
W-OPEN-REDIRECT · Initial Access
seen 1×
03
Phishing
T1566 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

OAuth redirect_uri misconfig → account takeover

iOS URL scheme hijack → OAuth code theft

§ What commonly comes next