C Sharp Oauth Allow Insecure Http True
Description
Detects when OAuth authorization server options in ASP.NET applications are configured to allow insecure HTTP communication. This creates a significant security risk as authentication tokens and credentials could be intercepted if transmitted over unencrypted connections.
Detection Strategy
• Checks if Microsoft.Owin.Security.OAuth or related packages are imported in the code
• Identifies instances where OAuthAuthorizationServerOptions is being configured
• Examines the configuration to detect if insecure HTTP communication is explicitly allowed
• Reports a vulnerability when OAuth settings are found that permit non-HTTPS connections
Vulnerable code example
using Microsoft.Owin.Security.OAuth;
using Microsoft.Owin;
public class OAuthConfig
{
public void ConfigureOAuth(IAppBuilder app)
{
var options = new OAuthAuthorizationServerOptions...✅ Secure code example
using Microsoft.Owin.Security.OAuth;
using Microsoft.Owin;
public class OAuthConfig
{
public void ConfigureOAuth(IAppBuilder app)
{
var options = new OAuthAuthorizationServerOptions...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.