oauth-security-anti-pattern
Installation
SKILL.md
OAuth Security Anti-Pattern
Severity: High
Summary
OAuth 2.0/OIDC flows are complex and easily misconfigured. The critical mistake: failing to implement and validate the state parameter. This parameter defends against CSRF attacks during OAuth flows. Missing or predictable state allows attackers to trick victims into logging into the attacker's account, enabling account takeover.
The Anti-Pattern
The anti-pattern is initiating OAuth flows without state parameters, or using predictable values not validated on callback.
BAD Code Example
# VULNERABLE: The OAuth flow is initiated without a `state` parameter.
from flask import request, redirect