Anthropic-Cybersecurity-Skills/skills/testing-oauth2-implementation-flaws/references/api-reference.md

API Reference: Testing OAuth2 Implementation Flaws

OAuth 2.0 Grant Types

Grant Type	Use Case	Risk Level
Authorization Code	Server-side apps	Low (with PKCE)
Authorization Code + PKCE	Mobile/SPA apps	Low
Implicit	Legacy SPAs	High (deprecated)
Client Credentials	Machine-to-machine	Medium
Resource Owner Password	Legacy migration	High

OAuth Attack Surface

Attack	Severity	Vector
Redirect URI bypass	Critical	Subdomain, path traversal, encoding
Missing state parameter	High	CSRF-based account linking
PKCE bypass	High	Authorization code interception
Scope escalation	High	Request unauthorized permissions
Code reuse	High	Replay authorization code
Token in URL fragment	Medium	Referer header leakage
Implicit flow	Medium	Token exposure in browser history

Redirect URI Bypass Techniques

Technique	Example
Subdomain append	redirect.com.evil.com
Path traversal	redirect.com/../evil.com
At-sign confusion	redirect.com@evil.com
Fragment bypass	redirect.com%23@evil.com
Query parameter	redirect.com?next=evil.com
HTTP downgrade	http:// instead of https://

Python Libraries

Library	Version	Purpose
requests	>=2.28	HTTP OAuth flow testing
secrets	stdlib	State/nonce generation
urllib.parse	stdlib	URL parameter encoding
hashlib	stdlib	PKCE code challenge

References

• OAuth 2.0 Security Best Practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
• PortSwigger OAuth: https://portswigger.net/web-security/oauth
• RFC 6749: https://www.rfc-editor.org/rfc/rfc6749
• RFC 7636 (PKCE): https://www.rfc-editor.org/rfc/rfc7636