SKILL.md
$27
Theme
What to Check
state handling
missing, static, predictable, or not bound to user session
redirect_uri validation
prefix match, open redirect chaining, path confusion, localhost leftovers
PKCE
missing for public clients, code verifier not enforced, downgraded flow
OIDC nonce
missing or not validated on ID token return
token audience and issuer
weak aud / iss checks, cross-client token reuse
account binding
callback binds attacker identity to victim session
scope handling
broader scopes granted than the user or client should receive
3. QUICK TRIAGE
- Map the full flow: authorize, callback, token exchange, logout.
- Replay callback flows with altered
state,nonce, andredirect_uri.
- Compare SPA, mobile, and web clients for weaker validation.
- Check whether one provider account can be rebound to another local account.
4. RELATED ROUTES
- CORS or cross-origin token exposure: cors cross origin misconfiguration
- XML federation or enterprise SSO: saml sso assertion attacks
- CSRF-heavy login or binding bugs: csrf cross site request forgery