How the state parameter in an OAuth2 request would prevent an attacker from sending malicious requests with OAuth2

279 viewsOtherTechnology

I’m confused on how an attacker would be able to send requests on an authenticated OAuth2 application; how would the attacker even send the request in the first place if they don’t have the access key?

In: Technology

2 Answers

Anonymous 0 Comments

The state parameter can contain anything. It’s an opaque blob that can hold any data and mean anything based on what the client and server decide on.

But it’s meant to be used to prevent CSRF, or cross-site request forgery.

The long and short of it is without CSRF protection, a malicious website could abuse a user’s *ambient authority* in a browser and get the browser to send an OAuth request to the resource server under the authority of the currently authenticated user session.

You are viewing 1 out of 2 answers, click here to view all answers.