OAuth2 Predictable State

OAuth2 Predictable State occurs when the state parameter used for CSRF protection can be guessed or predicted by an attacker. This defeats the purpose of the state parameter and enables OAuth CSRF attacks.

Weak State Generation Patterns

// BAD: Sequential or time-based
state = "state_" + counter++
state = Date.now().toString()

// BAD: User ID or session based without randomness
state = md5(user_id)
state = session_id

// BAD: Weak random
state = Math.random().toString()  // Only 52 bits of entropy

// BAD: Fixed or hardcoded
state = "csrf_token"

Attack Scenario

// If state = timestamp:
// 1. Attacker initiates OAuth at time T
// 2. Attacker predicts state values around time T
// 3. Attacker prepares callbacks with predicted states
// 4. When victim clicks link, one state matches

// If state = md5(user_id):
// 1. Attacker knows or guesses victim's user_id
// 2. Attacker computes expected state
// 3. Attacker crafts valid callback URL

Proper State Generation

// GOOD: Cryptographically random
import secrets
state = secrets.token_urlsafe(32)  # Python

// GOOD: Using crypto library
const crypto = require('crypto')
state = crypto.randomBytes(32).toString('base64url')  // Node.js

// GOOD: Framework-provided CSRF tokens
state = csrf.generate_token()  # Often framework-provided

Requirements

• At least 128 bits of entropy
• Cryptographically secure random source
• Unique per request
• Not derivable from known values

PentesterLab Exercises

• OAuth Exercises

See Also

• OAuth2 State Parameter
• OAuth2 State Fixation