web-vuln-oauth
CommunityDetect OAuth redirect and PKCE weaknesses
Authorwoohyun212
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Identifies OAuth 2.0 and OpenID Connect misconfigurations that enable redirect_uri bypasses, missing PKCE enforcement, state parameter issues, authorization code leakage via Referer, implicit flow token exposure, and other paths to account takeover (ATO).
Core Features & Use Cases
- Redirect URI Bypass Testing: Exercises 11 redirect_uri bypass techniques including open redirects, subdomain tricks, fragment abuse, double-encoding, IDN homographs, and scheme confusion to determine if an attacker can receive an authorization code or token.
- PKCE and State Validation: Verifies enforcement of PKCE for public clients and checks presence, emptiness, and fixation of the state parameter to prevent interception and CSRF.
- Token & Referer Leakage Checks: Detects implicit flow acceptance and presence of authorization codes in Referer headers when third-party resources are loaded, plus guides on documenting ATO impact chains.
- Use Case: Security assessments, bug bounty reports, and authorization server audits for web, mobile, and SPA clients where third-party login or SSO is present.
Quick Start
Use the web-vuln-oauth skill to test example.com for redirect_uri bypasses, missing PKCE, state parameter weaknesses, and implicit flow token leakage.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: web-vuln-oauth Download link: https://github.com/woohyun212/security-skill/archive/main.zip#web-vuln-oauth Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.