Hacker Desktop Guide

Learn how to use the Hacker Desktop to explore OAuth attacks in a safe, simulated environment. This guide walks you through the interface and provides step-by-step attack tutorials.

Interface Overview

📊

Flow Diagram

Visualizes OAuth flows between services. Watch requests move between Victim, Client, Auth Server, Resource Server, and Attacker nodes.

  • Select attack scenarios
  • Step through attacks visually
  • See which services are involved
  • View server security status
💀

Hacker Terminal

Command-line interface for executing attacks. Type commands to scan for vulnerabilities, launch attacks, and inspect captured data.

  • Tab completion for commands
  • Command history (↑/↓ keys)
  • Colored output for clarity
  • Real-time config integration
🔍

Request Inspector

Analyze captured HTTP requests, responses, and tokens. Decode JWTs and examine their claims.

  • View raw requests/responses
  • Decode JWT tokens
  • Copy captured tokens
  • Analyze security implications
🛡️

Security Config

Toggle security defenses on the target system. See how different configurations affect attack success.

  • PKCE, Audience validation
  • Strict redirect URIs
  • State parameter
  • Real-time security score

Terminal Commands

Command Description Example
help Show all available commands help
scan Scan target for vulnerabilities based on current config scan
attack <type> Load an attack scenario into Flow Diagram attack pkce
config Show current target security configuration config
status Show current attack status and progress status
token Show any captured access tokens token
intercept Start intercepting requests (simulated) intercept
clear Clear the terminal output clear
Tip: Press Tab for auto-completion and / to navigate command history.

Attack Types

attack pkce

PKCE Bypass Attack

Intercept authorization codes from clients that don't use PKCE protection. Without PKCE, stolen codes can be exchanged for tokens.

Medium Defense: Enable PKCE
attack redirect

Redirect URI Hijacking

Exploit loose redirect URI validation to steal authorization codes by redirecting them to attacker-controlled servers.

High Defense: Strict URI validation
attack replay

Token Replay Attack

Use a token obtained for one service against a different service that doesn't validate the audience claim.

Medium Defense: Audience validation
attack csrf

CSRF Login Attack

Force a victim to complete an OAuth flow with the attacker's authorization code, linking their session to the attacker's account.

Medium Defense: State parameter

Tutorial: Your First Attack

Follow this step-by-step guide to execute a PKCE Bypass attack.

1

Open the Windows

Click the taskbar buttons to open Flow, Terminal, and Config windows. Arrange them so you can see all three.

2

Make the Target Vulnerable

In the Config window, click the "Vulnerable" preset button (red dot) to disable all security controls. Notice the security score drops.

> config PKCE: OFF
3

Scan for Vulnerabilities

In the Terminal, type scan to find vulnerabilities. You should see PKCE listed as missing.

> scan Found 4 vulnerabilities: [HIGH] Authorization Code Interception
4

Load the Attack Scenario

Type attack pkce in the terminal to load the PKCE bypass scenario into the Flow Diagram.

> attack pkce Loaded pkce attack scenario. Use Flow Diagram to execute.
5

Execute the Attack

In the Flow Diagram window, select "PKCE Bypass Attack" from the dropdown and click "Next Step" repeatedly to walk through the attack.

Watch as the attack progresses through:

  • User initiates login
  • Authorization request (without PKCE)
  • Attacker intercepts the code
  • Attacker exchanges code for tokens
6

See the Attack Succeed

With PKCE disabled, the attacker successfully obtains tokens! The attacker node will glow red indicating a successful attack.

7

Now Block It

In the Config window, enable "PKCE Required". Then reset and re-run the flow. This time, the attack will be blocked at the token exchange step!

> config PKCE: ON

Tutorial: Token Replay Attack

Learn how tokens can be misused across services without proper audience validation.

1

Setup

Open Flow, Terminal, Inspector, and Config windows.

In Config, disable "Audience Validation" but leave other settings on.

2

Load the Scenario

> attack replay Loaded replay attack scenario.
3

Understand the Attack

Step through the flow and watch:

  • Attacker obtains a token for Service A (frontend-app)
  • Attacker inspects the token - audience is "frontend-app"
  • Attacker sends the SAME token to Service B (admin-api)
  • Service B accepts it because it doesn't check audience!
4

Check the Inspector

Open the Inspector window and look at the Token tab. You'll see the JWT with aud: "frontend-app", but it worked against admin-api.

5

Enable Defense

Enable "Audience Validation" in Config and re-run. Now the admin-api rejects the token because aud doesn't match!

Pro Tips

⌨️

Keyboard Shortcuts

  • Tab - Auto-complete commands
  • / - Command history
  • Enter - Execute command
🎯

Workflow

  1. Set config to vulnerable
  2. Run scan to find issues
  3. Load attack with attack <type>
  4. Step through in Flow Diagram
  5. Enable defenses and retry
🔄

Reset & Retry

Use the "Reset" button in Flow Diagram to start a scenario over. Try it with different config combinations to see what blocks each attack.

📋

Window States

Windows remember their position and size. You can minimize, resize, and drag them. Close windows you don't need to reduce clutter.

Launch Hacker Desktop