oauth-flow-hijack

Official

Test OAuth implementations for flow hijack flaws

Authordreadnode
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill addresses the high risk of undetected OAuth flow hijack vulnerabilities in web applications, which can lead to unauthorized account access, data breaches, and identity theft when attackers intercept authorization codes or abuse OAuth callback flows.

Core Features & Use Cases

  • Redirect Stoppage & Code Leakage Techniques: Provides methods to block client-side OAuth redirects, leak authorization codes via navigation history, cookie bombing, and WAF bypasses, and exploit popup/iframe name collisions to hijack OAuth flows.
  • PKCE Downgrade & Framework-Specific Bypasses: Includes tests for PKCE enforcement gaps, plus documented exploits for common OAuth stack vulnerabilities like django-allauth mutable claim takeover and oauth2-proxy regex bypass.
  • Use Case: Security testers use this Skill during authorized penetration tests of web applications with OAuth authentication, especially when XSS on a subdomain, open redirects, or callback interception capabilities are present.

Quick Start

Use the oauth-flow-hijack skill to test a target OAuth implementation for redirect stoppage, authorization code leakage, and PKCE downgrade vulnerabilities during your next authorized penetration test.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: oauth-flow-hijack
Download link: https://github.com/dreadnode/capabilities/archive/main.zip#oauth-flow-hijack

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 537,000+ vetted skills library on demand.