Skip to main content
Back to Library
the auth layer

The Attacks That Work: Token Replay, CSRF, Confused Deputy, and Open Redirect

2 min read Chapter 31 of 45

The Attacks That Work

Previous chapters introduced attacks in context: algorithm confusion alongside JWTs, session fixation alongside session management. This chapter collects the attacks that span multiple layers and do not belong to any single topic.

These are the attacks that succeed against applications with correct authentication. The token is valid. The session is established. The user is who they claim to be. The attack exploits the gap between “the user is authenticated” and “this specific request is authorized for this specific action.”

The Taxonomy

Token-based attacks exploit the token itself: replay (using a stolen token), injection (crafting a token with forged claims), and confusion (using a token in an unintended context).

Request-based attacks exploit the request carrying the token: CSRF (tricking a browser into sending a request with the user’s cookie), open redirect (abusing the OAuth2 redirect flow to steal authorization codes), and confused deputy (a valid token used against a resource it was not intended for).

Identity-based attacks exploit the identity layer: account takeover via email linking (CH10), credential stuffing (CH12), and privilege escalation via claim manipulation.

The Pattern

Every attack in this chapter follows the same structure:

  1. A precondition that developers assume is handled by the framework.
  2. A specific sequence of requests that violates the assumption.
  3. The behavior of a vulnerable configuration.
  4. The behavior of a hardened configuration.
  5. A test that proves the hardened configuration rejects the attack.

The attacks are ordered by frequency in production incidents, not by complexity. Token replay is more common than confused deputy because it requires less sophistication. CSRF against cookie-based auth is more common than open redirect because more applications use cookies than OAuth2 redirect flows.

What This Chapter Covers

Section 1: Token replay and CSRF. How a stolen bearer token is replayed, why CSRF is relevant even for API-only applications (when cookies carry authentication), and how Spring Security’s CSRF protection interacts with token-based auth.

Section 2: Confused deputy and open redirect. How a valid token accesses unintended resources (distinct from the tenant-specific confused deputy in CH8), and how open redirect in the OAuth2 callback enables authorization code theft.