OAuth2 State Fixation

OAuth2 State Fixation is an attack where the attacker forces a victim to use a pre-set state value that the attacker knows. This allows the attacker to link their OAuth account to the victim's session or bypass CSRF protections.

How It Works

1. Attacker initiates OAuth flow on the vulnerable app
2. Attacker captures the generated state value
3. Attacker tricks victim into using this state
4. Victim completes OAuth with attacker's account
5. Victim's session now linked to attacker's OAuth account

Attack Scenario

// 1. Attacker visits vulnerable app, gets state
GET /login/oauth?provider=github
// App generates: state=ATTACKER_KNOWN_STATE

// 2. Attacker creates malicious link for victim
https://victim-app.com/oauth/callback?
  code=ATTACKER_AUTH_CODE&
  state=ATTACKER_KNOWN_STATE

// 3. If app doesn't properly bind state to session,
//    victim's account gets linked to attacker's GitHub

Why This Works

• State not cryptographically bound to session
• State validated but session not checked
• State stored in predictable location (cookie without proper flags)

Prevention

• Bind state to session cryptographically (HMAC with session secret)
• Use HttpOnly, Secure, SameSite cookies for state storage
• Validate state AND session binding together
• Generate new state for each authorization request

PentesterLab Exercises

• OAuth Exercises

See Also

• OAuth2 State Parameter
• Session Fixation
• Cross-Site Request Forgery (CSRF)