05
OAuth & SSO security
One misconfigured redirect. Full account takeover.
Single sign-on and OAuth 2.0 are complex protocols where small misconfigurations lead directly to full account takeover. Standard scanners do not test these flows properly. This assessment traces every step of your login and identity delegation flow for the vulnerabilities that cause the most damage.
What I test
- →Login redirect validation: can an attacker redirect the login callback to a site they control, stealing the authentication code?
- →Login flow protection: can an attacker force a victim to silently log in under the attacker's account?
- →Token security: can authentication tokens be forged, stolen via the browser, or reused after expiry?
- →Identity assertion validation: can a login response be modified without the signature check catching it?
- →SSO account linking: can an attacker link their identity provider account to a victim's existing account?
- →Client credential exposure: are OAuth application secrets visible in frontend code or browser developer tools?
- →Token scope: can an attacker obtain tokens with more permissions than they should be granted?
Account takeoverLogin flowSSOSAMLOAuth 2.0
Example findings
CRITICALLogin redirect accepts any URL. Authentication code sent directly to attacker-controlled site.
CRITICALLogin identity assertion not validated. Attacker can log in as any user in the system.
HIGHMissing login protection. Attacker can silently force a victim to log in under the attacker's account.
HIGHUser personal data sent to third-party sites via browser referrer header on every page load.
Illustrative examples, not exhaustive.
Deliverable
Request this assessment →Authentication flow analysis with annotated request traces. Each finding includes a step-by-step reproduction and fix.