exploiting-oauth-misconfiguration
Installation
SKILL.md
Exploiting OAuth Misconfiguration
When to Use
- During authorized penetration tests when the application uses OAuth 2.0 or OpenID Connect for authentication
- When assessing "Sign in with Google/Facebook/GitHub" social login implementations
- For testing single sign-on (SSO) flows between applications
- When evaluating API authorization using OAuth bearer tokens
- During security assessments of applications acting as OAuth providers or consumers
Prerequisites
- Authorization: Written penetration testing agreement covering OAuth/SSO flows
- Burp Suite Professional: For intercepting OAuth redirect flows
- Browser with DevTools: For monitoring redirect chains and token leakage
- Multiple test accounts: On both the OAuth provider and the target application
- curl: For manual OAuth flow testing
- Attacker-controlled server: For receiving redirected tokens/codes