保護DataHogo
Security Encyclopedia/Auth & Sessions (Advanced)
highCWE-352A07:2021

OAuth State Parameter Missing

OAuth authorization flow implemented without a random `state` parameter, allowing CSRF attacks that link a victim's account to the attacker's OAuth identity.

How It Works

The OAuth `state` parameter is a random value you generate, include in the authorization URL, and verify when the callback returns. Without it, an attacker can initiate an OAuth flow, get the callback URL (before completing login), and send it to a victim. The victim clicks it, completes OAuth, and their account is now linked to the attacker's social identity.

Vulnerable Code
// BAD: OAuth redirect without state
export async function GET() {
  const authUrl = `https://github.com/login/oauth/authorize?client_id=${CLIENT_ID}&scope=user`;
  return Response.redirect(authUrl);
}
Secure Code
// GOOD: generate and verify state parameter
export async function GET(req: Request) {
  const state = crypto.randomUUID();
  // Store state in session to verify later
  const session = await getSession();
  session.oauthState = state;
  await session.save();
  const authUrl = `https://github.com/login/oauth/authorize?client_id=${CLIENT_ID}&state=${state}&scope=user`;
  return Response.redirect(authUrl);
}

Real-World Example

Facebook, Twitter, and GitHub OAuth implementations in third-party apps have all had state-parameter-missing vulnerabilities reported. Successful exploitation means an attacker can link their GitHub account to a victim's app account, gaining access.

How to Prevent It

  • Always generate a cryptographically random state parameter (use crypto.randomUUID() or nanoid)
  • Store the state in the user's session before redirecting to the OAuth provider
  • On callback, verify the returned state matches the stored state exactly
  • Use an OAuth library (next-auth, passport.js) that handles state management for you

Affected Technologies

nodejsNext.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Session Fixation

high

The server reuses the same session ID before and after login, allowing an attacker who planted a known session ID to hijack the authenticated session.

CWE-384A07:2021

No Account Lockout / Brute Force Protection

medium

Login endpoints with no rate limiting or lockout mechanism, allowing attackers to try unlimited username and password combinations until they find valid credentials.

CWE-307A07:2021

Weak Password Policy

medium

No minimum length, complexity, or common-password requirements on registration or password change, making user accounts easily brute-forced or guessed.

CWE-521A07:2021

Token Not Invalidated on Logout

medium

JWT or session tokens remain valid after a user logs out because there is no server-side revocation mechanism, allowing stolen tokens to be used indefinitely.

CWE-613A07:2021