OAuth’s core purpose is secure delegation of access, but when apps blindly trust any valid token without verifying it, the trust model breaks down.
We built challenges that demonstrate how an adversary can use tokens from one service to impersonate users on completely unrelated platforms, effectively bypassing authentication and hijacking accounts.
The challenges are available in all popular languages:
- C# Oauth
- Java Oauth
- Python OAuth
- PHP Oauth
- JS Oauth
- TS OAuth
- Ruby OAuth (Coming soon, check back often!)
Top comments (0)