EncryptCodecencryptcodec
Simulations/OAuth Misconfig

OAuth Misconfiguration

Intermediate

Exploit an open redirect in OAuth's callback URI to steal auth codes, and bypass CSRF protection by omitting the state parameter. Then apply both fixes.

Progress:
1
Leak the Auth Code via Open Redirect
2
CSRF via Missing State Validation
3
Apply Both Fixes
⚡ OAuth Authorization Request
client_id: myapp
registered: https://myapp.example.com/callback
session state: 6a2023v5533
redirect_uri
state parameter
🛡 Server Protection
Auth server log
Waiting for authorization request…

Challenges

1
Leak the Auth Code via Open Redirect
Change redirect_uri to https://evil.com/steal and authorize — the auth code gets sent to the attacker.
hints
2
CSRF via Missing State Validation
Clear the state parameter or change it to anything. Without state enforcement, forged auth flows succeed.
hints
3
Apply Both Fixes
Enable strict redirect_uri validation AND state enforcement. Confirm both attacks are blocked.
hints
How to fix OAuth misconfiguration
exact redirect_uri matching, state validation, PKCE

Frequently Asked Questions