International Journal of Innovative Solutions in Engineering
Published January 21, 2026 | Version v1
Journal article Open

Analysis of OAuth 2.0 Vulnerabilities Arising from Weak Implementation Choices

Authors/Creators

Description

Abstract: This project showcases authentication and authorization frameworks, such as OAuth 2.0 and OpenID Connect, by implementing a simplified OAuth 2.0 system. To illustrate possible attacks on such a system, a demonstration project is implemented using an incorrectly configured OAuth 2.0 authentication flow and an insecure OAuth client. Solutions are presented that both prevent potential attacks and protect user data, even in the event of a successful attack. The demonstration shows that a maliciously injected script can read a user’s access token and send it to the attacker, who can use it to access the user’s private data, effectively hijacking the session. This setup demonstrates that, while OAuth 2.0 provides a secure protocol, security is undermined by weak implementation choices. In particular, storing tokens in localStorage and allowing XSS in the client can completely defeat OAuth’s protections. The findings emphasize that protocol security does not guarantee overall system security without secure practices.

Originally published in: International Journal of Innovative Solutions in Engineering (IJISE), Vol. 2, No. 1, 2026. Official URL: https://ijise.ba/article/14/

Files

Vol. 2 No. 1 Article 14.pdf

Files (383.5 kB)

Name Size Download all
md5:2df6c29773a331344e10ccd79b290078
383.5 kB Preview Download

Additional details

Identifiers

URL
https://ijise.ba/article/14/

Related works

Is identical to
Journal article: https://ijise.ba/article/14/ (URL)
Is published in
Journal: 3029-3200 (ISSN)

References

  • OWASP Foundation, "OAuth 2.0 Security Cheat Sheet," OWASP Cheat Sheet Series.
  • W. Li and C. J. Mitchell, "Security Issues in OAuth 2.0 SSO Implementations," 2014, pp. 529–541. doi: https://doi.org/10.1007/978-3-319-13257-0_34.
  • L. Weichselbaum, "Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)," Google Web.Dev Blog.
  • Ed. D. T. A. T. Lodderstedt, I. M. McGloin, and O. C. P. Hunt, OAuth 2.0 Threat Model and Security Considerations. IETF Trust, 2013.
  • C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis, "Discovering concrete attacks on website authorization by formal analysis," J Comput Secur, vol. 22, no. 4, pp. 601–657, Apr. 2014, doi: https://doi.org/10.3233/JCS-140503.
  • D. Fett, P. Hosseyni, and R. Kuesters, "An Extensive Formal Security Analysis of the OpenID Financial-grade API," 2019. [Online]. Available: https://arxiv.org/abs/1901.11520
  • S.-T. Sun and K. Beznosov, "The devil is in the (implementation) details," in Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA: ACM, Oct. 2012, pp. 378–390. doi: https://doi.org/10.1145/2382196.2382238.
  • OWASP Foundation, "Cross Site Scripting (XSS) – OWASP," OWASP.org.
  • OWASP Foundation, "Content Security Policy Cheat Sheet," OWASP Cheat Sheet Series.
  • J. Catalan and S. Drosdzol, "Common OAuth Vulnerabilities," Doyensec.
  • E. Ferry, J. O Raw, and K. Curran, "Security evaluation of the OAuth 2.0 framework," Information & Computer Security, vol. 23, no. 1, pp. 73–101, Mar. 2015, doi: https://doi.org/10.1108/ICS-12-2013-0089.
  • P. Philippaerts, D. Preuveneers, and W. Joosen, "OAuch: Exploring Security Compliance in the OAuth 2.0 Ecosystem," in Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, New York, NY, USA: ACM, Oct. 2022, pp. 460–481. doi: https://doi.org/10.1145/3545948.3545955.
  • W. Li, C. J. Mitchell, and T. Chen, "Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations," in Security Protocols XXVI: 26th International Workshop, Cambridge, UK, March 19–21, 2018, Revised Selected Papers (pp.24-41), 2018, pp. 24–41. doi: https://doi.org/10.1007/978-3-030-03251-7_3.
  • D. Fett, R. Kuesters, and G. Schmitz, "A Comprehensive Formal Security Analysis of OAuth 2.0," Aug. 2016.
  • E. Shernan, H. Carter, D. Tian, P. Traynor, and K. Butler, "More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations," 2015, pp. 239–260. doi: https://doi.org/10.1007/978-3-319-20550-2_13.
  • L. Weichselbaum, M. Spagnuolo, S. Lekies, and A. Janc, "CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA: ACM, Oct. 2016, pp. 1376–1387. doi: https://doi.org/10.1145/2976749.2978363.
  • S. Stamm, B. Sterne, and G. Markham, "Reining in the web with content security policy," in Proceedings of the 19th international conference on World wide web, New York, NY, USA: ACM, Apr. 2010, pp. 921–930. doi: https://doi.org/10.1145/1772690.1772784.
  • G. Fors and A. Radhi, "Security and performance impact of client-side token storage methods," 2022. Accessed: Sep. 12, 2025. [Online]. Available: https://www.diva-portal.org/smash/record.jsf?pid=diva2%3A1676749&dswid=-3883
  • A. Hannousse, S. Yahiouche, and M. C. Nait-Hamoud, "Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey," May 2022, doi: https://doi.org/10.1016/j.cosrev.2024.100634.
  • S. Calzavara, R. Focardi, M. Maffei, C. Schneidewind, M. Squarcina, and M. Tempesta, "WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring," in 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD: USENIX Association, Aug. 2018, pp. 1493–1510. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/calzavara