Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V4 - Access Control

OAuth Missing/Broken State Parameter

POC

  • State parameter i.e anti-csrf token to prevent session hijacking attacks is missing on Google OAuth
  • Check the URL to see there is no state parameter to maintain session identity.

Impact

Low

Likelihood

Low