Skills

hunt-oauth

Installation
SKILL.md

Crown Jewel Targets

OAuth vulnerabilities are among the highest-value bug classes in web security because they directly enable account takeover, session theft, and authentication bypass — the trifecta that programs pay most for.

Highest-value targets:

  • Consumer identity providers (Google, Facebook, PayPal, Apple SSO integrations) — any compromise cascades across all relying parties
  • Mobile apps with custom deep link OAuth handlers — Android/iOS intent handling is notoriously loose
  • Multi-tenant SaaS platforms (GitLab, Reddit-scale apps) where one OAuth flaw hits millions of accounts
  • Gaming/entertainment platforms with federated login (Rockstar, Oculus) — often security-immature teams
  • Enterprise SSO connectors — critical infrastructure, high severity payouts

Asset types that pay most:

  • OAuth authorization endpoints (/oauth/authorize, /connect/authorize)
  • Token exchange endpoints (/oauth/token)
  • Mobile deep link handlers (push_notification_webview, custom scheme URIs)
  • Social login callback handlers (/auth/callback, /oauth/callback)

Typical payouts: $500–$20,000+ depending on program; account takeover findings often hit max bounty.

Installs
33
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
May 24, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
hunt-oauth — elementalsouls/claude-bughunter