OAuth Dynamic Client Registration requires specifying redirect URIs during the registration process. When the OAuth server accepts permissive redirect URIs, such as those allowing arbitrary hosts or ones starting with javascript://, an attacker could exploit this to perform Open Redirect or Cross-Site Scripting (XSS) attacks. OAuth Dynamic Client Registration is very common in the context of Model Context Protocol (MCP) servers, allowing attackers to target AI developers. No source…Read More