Note that ChatGPT indeed implemented a state parameter, but their state was not a random value, and therefore could be guessed by the attacker.
Bruh wut, rookie mistake.
State is supposed to be mathematically random and should expire fairly quickly.
I always have used a random guid that expires after 10-15 minutes for state, if they try and complete the oauth with an expired state value I reject ad ask them to try again.
Also yeah the redirect uri trick is common, that’s why oath apis must always have a “whitelist urls” functionality. And not just domain, the whole url.
That’s why when you make a Google api token you gotta specify what urls it’s valid for explicitly. That way any other different redirect uri gets rejected, to prevent an injection attack from a third party providing their own different redirect uri to a victim.
Oath is pretty explicit about all these things in its spec. It really sucks people treat it as optional “not important” factors.
It’s important. Do it. Always.
I still love how stupid ‘hacking’ these things are. Like the poem shit. Thats the future. Tell a bot to say something a bunch of times and it spits out someone’s address.