mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 14:09:40 +03:00
Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
@@ -0,0 +1,50 @@
|
||||
# API Reference: Testing OAuth2 Implementation Flaws
|
||||
|
||||
## OAuth 2.0 Grant Types
|
||||
|
||||
| Grant Type | Use Case | Risk Level |
|
||||
|------------|----------|------------|
|
||||
| Authorization Code | Server-side apps | Low (with PKCE) |
|
||||
| Authorization Code + PKCE | Mobile/SPA apps | Low |
|
||||
| Implicit | Legacy SPAs | High (deprecated) |
|
||||
| Client Credentials | Machine-to-machine | Medium |
|
||||
| Resource Owner Password | Legacy migration | High |
|
||||
|
||||
## OAuth Attack Surface
|
||||
|
||||
| Attack | Severity | Vector |
|
||||
|--------|----------|--------|
|
||||
| Redirect URI bypass | Critical | Subdomain, path traversal, encoding |
|
||||
| Missing state parameter | High | CSRF-based account linking |
|
||||
| PKCE bypass | High | Authorization code interception |
|
||||
| Scope escalation | High | Request unauthorized permissions |
|
||||
| Code reuse | High | Replay authorization code |
|
||||
| Token in URL fragment | Medium | Referer header leakage |
|
||||
| Implicit flow | Medium | Token exposure in browser history |
|
||||
|
||||
## Redirect URI Bypass Techniques
|
||||
|
||||
| Technique | Example |
|
||||
|-----------|---------|
|
||||
| Subdomain append | `redirect.com.evil.com` |
|
||||
| Path traversal | `redirect.com/../evil.com` |
|
||||
| At-sign confusion | `redirect.com@evil.com` |
|
||||
| Fragment bypass | `redirect.com%23@evil.com` |
|
||||
| Query parameter | `redirect.com?next=evil.com` |
|
||||
| HTTP downgrade | `http://` instead of `https://` |
|
||||
|
||||
## Python Libraries
|
||||
|
||||
| Library | Version | Purpose |
|
||||
|---------|---------|---------|
|
||||
| `requests` | >=2.28 | HTTP OAuth flow testing |
|
||||
| `secrets` | stdlib | State/nonce generation |
|
||||
| `urllib.parse` | stdlib | URL parameter encoding |
|
||||
| `hashlib` | stdlib | PKCE code challenge |
|
||||
|
||||
## References
|
||||
|
||||
- OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
|
||||
- PortSwigger OAuth: https://portswigger.net/web-security/oauth
|
||||
- RFC 6749: https://www.rfc-editor.org/rfc/rfc6749
|
||||
- RFC 7636 (PKCE): https://www.rfc-editor.org/rfc/rfc7636
|
||||
Reference in New Issue
Block a user