Analysis of OAuth 2.0 Vulnerabilities Arising from Weak Implementation Choices

Prepared By Editor-in-Chief

International Journal of Innovative Solutions in Engineering is published semi-annually.

ISSN: 3029-3200

Review Article

DOI: https://doi.org/10.47960/3029-3200.2026.2.1.15
Leo Petrović*
*CAleo.petrovic@fsre.sum.ba

Full text:

Vol. 2 No. 1 Article 14

This article belongs to Vol. 2 No. 1, 2026

L. Petrović, “Analysis of OAuth 2.0 Vulnerabilities Arising from Weak Implementation Choices,” International Journal of Innovative Solutions in Engineering, vol. 2, no. 1, pp. 15–21, Jan. 2026, doi: 10.47960/3029-3200.2026.2.1.15.

pages 15-21

Download a citation file:

Vol. 2 No. 1 Article 14Download

Preview and download a citation file in BibTex format that can be imported by citation management software, including Mendeley, EndNote, ProCite, RefWorks, and Reference Manager.

This article is archived in Zenodo

Zenodo Archive DOI: 10.5281/zenodo.18312234

Abstract

This project showcases authentication and authorization frameworks, such as OAuth 2.0 and OpenID Connect, by implementing a simplified OAuth 2.0 system. To illustrate possible attacks on such a system, a demonstration project is implemented using an incorrectly configured OAuth 2.0 authentication flow and an insecure OAuth client. Solutions are presented that both prevent potential attacks and protect user data, even in the event of a successful attack. The demonstration shows that a maliciously injected script can read a user’s access token and send it to the attacker, who can use it to access the user’s private data, effectively hijacking the session. This setup demonstrates that, while OAuth 2.0 provides a secure protocol, security is undermined by weak implementation choices. In particular, storing tokens in localStorage and allowing XSS in the client can completely defeat OAuth’s protections. The findings emphasize that protocol security does not guarantee overall system security without secure practices.

Keywords

Authentication, OAuth 2.0, Access Token Theft, Cross-Site Scripting, React, LocalStorage

ijise ID

14

URI

https://ijise.ba/article/14/

Publication Date

Jan. 21, 2026

References

  1. OWASP Foundation, “OAuth 2.0 Security Cheat Sheet,” OWASP Cheat Sheet Series.
  2. W. Li and C. J. Mitchell, “Security Issues in OAuth 2.0 SSO Implementations,” 2014, pp. 529–541. doi: https://doi.org/10.1007/978-3-319-13257-0_34.
  3. L. Weichselbaum, “Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP),” Google Web.Dev Blog.
  4. Ed. D. T. A. T. Lodderstedt, I. M. McGloin, and O. C. P. Hunt, OAuth 2.0 Threat Model and Security Considerations. IETF Trust, 2013.
  5. C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis, “Discovering concrete attacks on website authorization by formal analysis,” J Comput Secur, vol. 22, no. 4, pp. 601–657, Apr. 2014, doi: https://doi.org/10.3233/JCS-140503.
  6. D. Fett, P. Hosseyni, and R. Kuesters, “An Extensive Formal Security Analysis of the OpenID Financial-grade API,” 2019. [Online]. Available: https://arxiv.org/abs/1901.11520
  7. S.-T. Sun and K. Beznosov, “The devil is in the (implementation) details,” in Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA: ACM, Oct. 2012, pp. 378–390. doi: https://doi.org/10.1145/2382196.2382238.
  8. OWASP Foundation, “Cross Site Scripting (XSS) – OWASP,” OWASP.org.
  9. OWASP Foundation, “Content Security Policy Cheat Sheet,” OWASP Cheat Sheet Series.
  10. J. Catalan and S. Drosdzol, “Common OAuth Vulnerabilities,” Doyensec.
  11. E. Ferry, J. O Raw, and K. Curran, “Security evaluation of the OAuth 2.0 framework,” Information & Computer Security, vol. 23, no. 1, pp. 73–101, Mar. 2015, doi: https://doi.org/10.1108/ICS-12-2013-0089.
  12. P. Philippaerts, D. Preuveneers, and W. Joosen, “OAuch: Exploring Security Compliance in the OAuth 2.0 Ecosystem,” in Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, New York, NY, USA: ACM, Oct. 2022, pp. 460–481. doi: https://doi.org/10.1145/3545948.3545955.
  13. W. Li, C. J. Mitchell, and T. Chen, “Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations,” in Security Protocols XXVI: 26th International Workshop, Cambridge, UK, March 19–21, 2018, Revised Selected Papers (pp.24-41), 2018, pp. 24–41. doi: https://doi.org/10.1007/978-3-030-03251-7_3.
  14. D. Fett, R. Kuesters, and G. Schmitz, “A Comprehensive Formal Security Analysis of OAuth 2.0,” Aug. 2016.
  15. E. Shernan, H. Carter, D. Tian, P. Traynor, and K. Butler, “More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations,” 2015, pp. 239–260. doi: https://doi.org/10.1007/978-3-319-20550-2_13.
  16. L. Weichselbaum, M. Spagnuolo, S. Lekies, and A. Janc, “CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA: ACM, Oct. 2016, pp. 1376–1387. doi: https://doi.org/10.1145/2976749.2978363.
  17. S. Stamm, B. Sterne, and G. Markham, “Reining in the web with content security policy,” in Proceedings of the 19th international conference on World wide web, New York, NY, USA: ACM, Apr. 2010, pp. 921–930. doi: https://doi.org/10.1145/1772690.1772784.
  18. G. Fors and A. Radhi, “Security and performance impact of client-side token storage methods,” 2022. Accessed: Sep. 12, 2025. [Online]. Available: https://www.diva-portal.org/smash/record.jsf?pid=diva2%3A1676749&dswid=-3883
  19. A. Hannousse, S. Yahiouche, and M. C. Nait-Hamoud, “Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey,” May 2022, doi: https://doi.org/10.1016/j.cosrev.2024.100634.
  20. S. Calzavara, R. Focardi, M. Maffei, C. Schneidewind, M. Squarcina, and M. Tempesta, “WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring,” in 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD: USENIX Association, Aug. 2018, pp. 1493–1510. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/calzavara
Post Views: 295

A Critical Analysis of Young’s Modulus Determination for Fused Filament Fabricated Polylactic Acid Specimens

Artificial Intelligence in Telecommunications by 2050: A Conceptual AI-CTE Foresight Framework

ISSN: 3029-3200

Reach out to us for more opportunities

If you have any inquiries, please use the information below to contact us.

Contact Us

All articles published in the International Journal of Innovative Solutions in Engineering (IJISE) are preserved in Zenodo for long-term archiving and global accessibility.

© 2026 by The Author(s). Licensee IJISE by Faculty of Mechanical Engineering, Computing and Electrical Engineering, University of Mostar. All articles are an open-access and distributed under the terms and conditions of the CC BY 4.0Creative Commons LicenseAttribution 4.0 International (CC BY 4.0)