Interactive Security Education

Learn OAuth 2.0 Security

Explore common OAuth vulnerabilities in a safe, controlled environment. Understand how attacks work and learn to defend against them through hands-on interactive modules.

11 Attack Types
4 Learning Modes
15+ Security Controls

Choose Your Learning Path

Each module offers a different approach to learning OAuth security. Pick the one that matches your learning style.

Control Panel

Toggle-Based Defense Learning

Toggle security controls on and off to see which attacks succeed or fail. Visual feedback shows cause-and-effect relationships between configuration and security.

Interactive Toggles Security Score Instant Feedback
Beginner Friendly

Hacker Desktop

Full Simulation Environment

A desktop-style environment with multiple windows: Flow Diagram to visualize attacks, Terminal to execute commands, and Request Inspector to analyze traffic. The ultimate hands-on hacking experience.

Flow Visualization Hacker Terminal Request Inspector
NEW

Dual Perspective

Story-Driven Scenario Learning

Experience attacks from both attacker and defender perspectives. Navigate through branching narratives with decision points and see how security configurations affect outcomes.

Narrative Mode Decision Points Both Perspectives
Training Mode

Request Forge

Technical Hands-On Sandbox

Build and send OAuth requests at the protocol level. Modify parameters, analyze responses, and decode JWTs with detailed security annotations. Compare secure vs insecure configurations side-by-side.

Request Builder JWT Decoder Compare Mode
Advanced

Attacks You'll Learn About

These are the most common OAuth 2.0 vulnerabilities. Each module covers all of these attacks.

High Code Flow

Code Interception

Attacker intercepts authorization codes during redirect and exchanges them for tokens.

Blocked by: PKCE
Critical Code Flow

Redirect URI Manipulation

Attacker modifies redirect_uri to steal authorization codes via phishing.

Blocked by: Strict URI Validation
High Token Security

Token Replay

Attacker replays tokens against services that don't validate audience claims.

Blocked by: Audience Validation
High Code Flow

CSRF on Callback

Attacker forces victim to complete OAuth flow with attacker's code.

Blocked by: State Parameter
Medium Authorization

Scope Escalation

Attacker manipulates scope parameter to gain elevated permissions.

Blocked by: Scope Validation
High Token Security

Token Theft via XSS

Attacker exploits XSS to steal tokens from browser storage.

Blocked by: HttpOnly Cookies
Critical Token Security

JWT Algorithm Confusion

Attacker forges tokens by switching signing algorithm from RS256 to HS256.

Blocked by: Algorithm Enforcement
High Token Security

Refresh Token Hijacking

Attacker steals refresh token for persistent access that survives password changes.

Blocked by: Token Rotation
Medium Code Flow

Open Redirect Phishing

Attacker uses OAuth endpoint as open redirector for convincing phishing URLs.

Blocked by: Strict URI Validation
Critical Code Flow

AS Mix-Up Attack

Attacker steals codes in multi-IdP scenarios by confusing which AS issued them.

Blocked by: Issuer Validation
Medium Authorization

Clickjacking Authorization

Attacker tricks users into clicking hidden authorize button via iframe overlay.

Blocked by: Frame Protection

Quick Start

New to OAuth security? Start with the Control Panel for a visual introduction, then move to Dual Perspective for deeper understanding, and finally explore Request Forge for hands-on technical practice.

Start Learning