Detections
Analytics

OAuth Dynamic Client Registration Permissive Redirect URI

low Web App Scanning Plugin ID 114919

Language:

Synopsis

OAuth Dynamic Client Registration Permissive Redirect URI

Description

OAuth Dynamic Client Registration requires specifying redirect URIs during the registration process. When the OAuth server accepts permissive redirect URIs, such as those allowing arbitrary hosts or ones starting with javascript://, an attacker could exploit this to perform Open Redirect or Cross-Site Scripting (XSS) attacks. OAuth Dynamic Client Registration is very common in the context of Model Context Protocol (MCP) servers, allowing attackers to target AI developers.

Solution

Restrict the allowed redirect URIs to specific trusted domains and ensure they do not allow arbitrary hosts and schemes other than https://

See Also

https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

Plugin Details

Severity: Low

ID: 114919

Type: remote

Published: 7/18/2025

Updated: 7/18/2025

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 20, 200, 601

OWASP: 2010-A10, 2010-A4, 2010-A6, 2013-A10, 2013-A4, 2013-A5, 2017-A5, 2017-A6, 2021-A1, 2021-A3

WASC: Improper Input Handling, Information Leakage, URL Redirector Abuse

CAPEC: 10, 101, 104, 108, 109, 110, 116, 120, 13, 135, 136, 14, 153, 169, 182, 209, 22, 224, 23, 230, 231, 24, 250, 261, 267, 28, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 3, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 31, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 42, 43, 45, 46, 47, 472, 473, 497, 508, 52, 53, 573, 574, 575, 576, 577, 588, 59, 60, 616, 63, 64, 643, 646, 651, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-000460, APSC-DV-002560

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10, sp800_53-SI-15

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-5.1.3, 4.0.2-5.1.5, 4.0.2-8.3.4

PCI-DSS: 3.2-6.5, 3.2-6.5.8