OAuth redirect_uri misconfig → account takeover

§ Context

Assumed environment: OAuth provider (often the target's own SSO) accepts redirect_uri patterns that resolve to attacker-controlled hosts — either wildcards, missing path validation, or a chained open redirect on a whitelisted host.

§ Steps

1. 01
   Account takeoverInitial Access

   T1078— Valid Accounts
2. 02
   Send victim the malicious authorize linkInitial Access

   T1566— Phishing
3. 03
   Exchange code for access tokenLateral Movement

   T1550— Use Alternate Authentication Material
4. 04
   Find an open redirect on a whitelisted hostInitial Access

   W-OPEN-REDIRECT— Open Redirect
5. 05
   Map OAuth provider & client configsReconnaissance

   W-RECON-API-DISCO— API Endpoint Discovery
6. 06
   Capture authorization codeCredential Access

   W-OAUTH-MISCONFIG— OAuth — redirect_uri Misconfig
7. 07
   Chain redirect to attacker hostCredential Access

   W-OAUTH-MISCONFIG— OAuth — redirect_uri Misconfig
8. 08
   Probe redirect_uri validationCredential Access

   W-OAUTH-MISCONFIG— OAuth — redirect_uri Misconfig

   Try suffix/subdomain attacks, %2f, @-tricks.

§ References

• T1078Valid Accounts
• T1566Phishing
• T1550Use Alternate Authentication Material

§ Frequently asked

What is the "OAuth redirect_uri misconfig → account takeover" attack path?

Provider accepts loose redirect_uri matching (wildcard, partial, open-redirect chain). Steal the authorization code by redirecting it through an attacker host. It chains 8 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Account takeover (T1078) — a initial access primitive. Assumed environment: OAuth provider (often the target's own SSO) accepts redirect_uri patterns that resolve to attacker-controlled hosts — either wildcards, missing path validation, or a chained open redirect on a whitelisted host.

What is the final impact of this kill-chain?

The final step lands on Probe redirect_uri validation (W-OAUTH-MISCONFIG), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  iOS URL scheme hijack → OAuth code theft

  Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.

• Shared techniques2

  FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.

• Shared techniques2

  SAML signature wrapping (XSW) → impersonate admin

  Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.

• Shared techniques2

  Open MQTT broker → smart-estate takeover

  Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats.

• Shared techniques2

  Deeplink abuse → in-app account takeover

  Exported activity registers a custom URL scheme that triggers an OAuth-style 'confirm reset' action without validating the source — phishing URL clicks reset another user's password.

• Shared techniques2

  Browser-in-the-Browser → credential theft on a trusted page

  Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.