testing-oauth2-implementation-flaws

What problem does it solve?

This Skill identifies misconfigurations and implementation flaws in OAuth 2.0 and OpenID Connect deployments that enable authorization code interception, redirect URI manipulation, CSRF in authorization flows, token leakage, scope escalation, PKCE bypass, and improper token handling that can lead to unauthorized access or account takeover.

Core Features & Use Cases

• Endpoint Reconnaissance & Configuration Discovery: Automatically discover .well-known/openid-configuration, authorization and token endpoints for assessment.
• Redirect URI, State & PKCE Validation: Test redirect_uri matching, state parameter usage for CSRF protection, and PKCE enforcement for authorization code flows.
• Token & Scope Analysis: Detect token leakage, implicit flow exposure, scope escalation, code reuse, and improper audience or refresh token binding.
• Use Case: Assess "Login with X" social login flows for a SaaS application to detect redirect bypass, missing client-side state validation, absent PKCE, and token replay that could result in account takeover.

Quick Start

Test the authorization server at https://auth.example.com with client_id test-client-id and redirect URI https://app.example.com/callback for redirect URI validation, state and PKCE enforcement, scope escalation, and token handling issues and produce a findings report.