Post

POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows

Post

SSO Gadgets II: Unauthenticated Client-Side Template Injection to Account Takeover using SSO Gadget Chain

Post

SSO Gadgets: Escalate (Self-)XSS to ATO

Tools

AuRA: Auth. Request Analyser

Tools

Custom and flexible OAuth/OIDC SP and IdP implementations

Post

Insufficient Redirect URI validation: The risk of allowing to dynamically add arbitrary query parameters and fragments to the redirect_uri