oauth-flow-hijack
OfficialTest OAuth implementations for flow hijack flaws
Software Engineering#oauth#penetration testing#web security#pkce#account takeover#authorization code#flow hijack
Authordreadnode
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This Skill addresses the high risk of undetected OAuth flow hijack vulnerabilities in web applications, which can lead to unauthorized account access, data breaches, and identity theft when attackers intercept authorization codes or abuse OAuth callback flows.
Core Features & Use Cases
- Redirect Stoppage & Code Leakage Techniques: Provides methods to block client-side OAuth redirects, leak authorization codes via navigation history, cookie bombing, and WAF bypasses, and exploit popup/iframe name collisions to hijack OAuth flows.
- PKCE Downgrade & Framework-Specific Bypasses: Includes tests for PKCE enforcement gaps, plus documented exploits for common OAuth stack vulnerabilities like django-allauth mutable claim takeover and oauth2-proxy regex bypass.
- Use Case: Security testers use this Skill during authorized penetration tests of web applications with OAuth authentication, especially when XSS on a subdomain, open redirects, or callback interception capabilities are present.
Quick Start
Use the oauth-flow-hijack skill to test a target OAuth implementation for redirect stoppage, authorization code leakage, and PKCE downgrade vulnerabilities during your next authorized penetration test.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: oauth-flow-hijack Download link: https://github.com/dreadnode/capabilities/archive/main.zip#oauth-flow-hijack Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 537,000+ vetted skills library on demand.