Covert Redirect Vulnerability

Overview [1] [2]#

Covert Redirect Vulnerability is a Vulnerability based on the premise that "The fragment is not passed to the server as part of the URI so the server could not include it in a redirect."

However, some browsers (User-agents) have changed their behavior to preserve to append the URI Fragment Identifiers to the new URI from the Location HTTP Header Field of a HTTP 302 redirect if it did not contain a URI Fragment Identifiers.

OAuth 2.0 and OpenID Connect#

Covert Redirect Vulnerability describes a process where a malicious attacker intercepts a request from an OAuth Client to an OAuth 2.0 Authorization Server and alters a URI Query parameter in the request called "redirect_uri" with the intention of causing the Authorization Server to direct the resulting OAuth Response to a malicious location rather than to the originally requesting OAuth Client, thus exposing any returned secrets to the attacker. The OAuth 2.0 Threat Model and Security Configurations section-4.2.4 provides advice.

More Information#

There might be more information for this subject on one of the following: