Environment containing vulnerability mimicking CVE-2021-27582.
Query parameters (including redirect_uri) of /authorize are inherited by /consent. Since /authorize performs redirect_uri validation, but /consent does not, redirect_uri validation can be bypassed, allowing an attacker to steal the user's authorization code.
Environment containing session poisoning vulnerability Chapter two: "redirect_uri" Session Poisoning.
A race condition vulnerability may occur when multiple authentication requests are sent simultaneously. An attacker can use Session Poisoning to modify the user's session information and redirect the user to an untrusted client's redirect_uri to illegally obtain a token.
Environment containing LDAP injection vulnerability mimicking CVE-2021-29156.
An LDAP injection vulnerability exists in the WebFinger protocol. An attacker can exploit this vulnerability to steal user information.
Environment containing RP's XSS and IdP's authorization code consumption flaws.
By exploiting these vulnerabilities in a chain, an attacker can steal a victim's valid authorization code.
Environment containing open redirect vulnerability.
Since /authorize don't perform redirect_uri validation, an attacker can steal the user's authorization code by redirecting the user to an attacker's redirect_uri.
Environment containing CSRF vulnerability.
RP does not perform CSRF protection, allowing an attacker to tie the victim's session to the attacker's one.
Environment containing ID spoofing vulnerability.
An attacker can modify the iss or sub of id_token to impersonate the victim.
Environment containing Wrong Recipient vulnerability.
An attacker can modify the aud of id_token to impersonate the victim.
Environment containing ID Token Replay vulnerability.
An attacker can replay the id_token to impersonate the victim.
Environment containing IdP Confusion vulnerability.
An attacker can confuse the victim to use the attacker's IdP and steal the victim's authorization code of the honest IdP.
Environment containing Malicious Endpoint vulnerability.
An attacker can confuse the victim to use the attacker's malicious token endpoint and steal the victim's authorization code.