testing-oauth2-implementation-flaws

Featured

Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization code interception, redirect URI manipulation, CSRF in OAuth flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the authorization server, client application, and token handling for common misconfigurations that enable account takeover or unauthorized access. Activates for requests involving OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect bypass, or authorization code flow testing.

Testing & QA 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Testing OAuth2 Implementation Flaws ## When to Use - Assessing OAuth 2.0 authorization code flow for redirect URI validation weaknesses - Testing OAuth client applications for CSRF protection (state parameter usage) and PKCE enforcement - Evaluating token storage, transmission, and lifecycle management in OAuth implementations - Testing scope escalation where clients request more permissions than authorized - Assessing OpenID Connect implementations for ID token validation and nonce usage **Do not use** without written authorization. OAuth testing may result in token theft or unauthorized access. ## Prerequisites - Written authorization specifying the OAuth provider and client applications in scope - Test OAuth client registered with the authorization server - Burp Suite Professional for intercepting OAuth redirects and token flows - Python 3.10+ with `requests` and `oauthlib` libraries - Browser developer tools for observing OAuth redirect chains - Knowledge of the OAuth 2.0 grant types in use (authorization code, implicit, client credentials) ## Workflow ### Step 1: OAuth Flow Reconnaissance ```python import requests import urllib.parse import re import hashlib import base64 import secrets AUTH_SERVER = "https://auth.example.com" CLIENT_ID = "test-client-id" REDIRECT_URI = "https://app.example.com/callback" SCOPE = "openid profile email" # Discover OAuth endpoints well_known = requests.get(f"{AUTH_SERVER}/.well-known/openid-configuration") if well_known.status_c...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

OAuth · Auth

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

exploiting-oauth-misconfiguration

Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation, token leakage, and authorization code theft during security assessments.

12,642 Updated today
mukul975
API & Backend Featured

testing-api-authentication-weaknesses

Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token validation assessment, credential security testing, or API auth bypass.

12,642 Updated today
mukul975
AI & Automation Featured

testing-for-open-redirect-vulnerabilities

Identify and test open redirect vulnerabilities in web applications by analyzing URL redirection parameters, bypass techniques, and exploitation chains for phishing and token theft.

12,642 Updated today
mukul975
Testing & QA Featured

testing-for-json-web-token-vulnerabilities

Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid parameter injection, and weak secret exploitation to achieve authentication bypass and privilege escalation.

12,642 Updated today
mukul975
API & Backend Solid

oauth-implementation

OAuth 2.0 and OpenID Connect authentication with secure flows. Use for third-party integrations, SSO systems, token-based API access, or encountering authorization code flow, PKCE, token refresh, scope management errors.

160 Updated 2 weeks ago
secondsky