Yep! This is exactly the kind of thing PKCE prevents! With PKCE,... • Aaron Parecki

51°F

Brandon Trebitowski https://brandontreb.com • Mar 2
Could using PKCE fix this issue?

Yep! This is exactly the kind of thing PKCE prevents! With PKCE, even if the open redirect were in place, the attacker wouldn't have been able to do anything with the stolen authorization code.

Although now I'm thinking this through and if the open redirects are really open enough, you could probably still pull something off even while using PKCE.

Portland, Oregon • 42°F

Thu, Mar 2, 2023 4:03pm -08:00

1 reply
Have you written a response to this? Let me know the URL:
- Brandon Trebitowski brandontreb.com
  
  True, but it would be tricky.
  
  Wouldn’t the attacker have find a way to extract the code_verifier from local storage and pass it along with the hijacked redirect?
  
  They would have to somehow have the ability to write custom js code on the path they are redirecting to. I guess this is possible on sites that don’t sanitize user inputs.
  
  Thu, Mar 2, 2023 4:14pm -08:00

Posted in /replies using monocle.p3k.io