igbuend/oauth-security-anti-pattern
skills/oauth-security-anti-pattern/SKILL.md
Security anti-pattern for OAuth implementation vulnerabilities (CWE-352, CWE-287). Use when generating or reviewing OAuth/OIDC authentication flows, state parameter handling, or token exchange. Detects missing CSRF protection and insecure redirect handling.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard oauth-security-anti-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:19 PM19.0s1 file scanned
SKILL.md
- name:
- oauth-security-anti-pattern
- description:
- Security anti-pattern for OAuth implementation vulnerabilities (CWE-352, CWE-287). Use when generating or reviewing OAuth/OIDC authentication flows, state parameter handling, or token exchange. Detects missing CSRF protection and insecure redirect handling.
OAuth Security Anti-Pattern
Severity: High
Summary
OAuth 2.0/OIDC flows are complex and easily misconfigured. The critical mistake: failing to implement and validate the state parameter. This parameter defends against CSRF attacks during OAuth flows. Missing or predictable state allows attackers to trick victims into logging into the attacker's account, enabling account takeover.
The Anti-Pattern
The anti-pattern is initiating OAuth flows without state parameters, or using predictable values not validated on callback.
BAD Code Example
# VULNERABLE: The OAuth flow is initiated without a `state` parameter.
from flask import request, redirect
OAUTH_PROVIDER_URL = "https://provider.com/auth"
CLIENT_ID = "my-client-id"
CALLBACK_URL = "https://myapp.com/callback"
@app.route("/login/provider")
def oauth_login():
# Redirects user to OAuth provider.
# FLAW: No `state` parameter to prevent CSRF.
auth_url = (f"{OAUTH_PROVIDER_URL}?client_id={CLIENT_ID}"
f"&redirect_uri={CALLBACK_URL}&response_type=code")
return redirect(auth_url)
@app.route("/callback")
def oauth_callback():
# User redirected back from provider.
# No way to verify callback corresponds to user-initiated flow.
auth_code = request.args.get("code")
# Exchanges code for tokens, logs user in.
# Attacker can link victim's session to attacker's account.
access_token = exchange_code_for_token(auth_code)
log_user_in(access_token)
return "Logged in successfully!"
Attack:
- Attacker initiates OAuth flow with own account
- Provider redirects to
https://myapp.com/callback?code=ATTACKER_CODE - Attacker intercepts and pauses request
- Attacker tricks victim into visiting malicious callback URL
myapp.comassociates victim's session with attacker's account
GOOD Code Example
# SECURE: A unique, unpredictable `state` is generated, stored in the session, and validated on callback.
from flask import request, redirect, session
import secrets
@app.route("/login/provider/secure")
def oauth_login_secure():
# 1. Generate cryptographically random `state`.
state = secrets.token_urlsafe(32)
# 2. Store in user's session.
session['oauth_state'] = state
auth_url = (f"{OAUTH_PROVIDER_URL}?client_id={CLIENT_ID}"
f"&redirect_uri={CALLBACK_URL}&response_type=code"
f"&state={state}") # 3. Send state to provider.
return redirect(auth_url)
@app.route("/callback/secure")
def oauth_callback_secure():
# 4. Provider returns `state` in callback.
received_state = request.args.get("state")
auth_code = request.args.get("code")
# 5. CRITICAL: Validate returned state matches session state.
stored_state = session.pop('oauth_state', None)
if stored_state is None or not secrets.compare_digest(stored_state, received_state):
return "Invalid state parameter. CSRF attack detected.", 403
# State valid, safe to proceed.
access_token = exchange_code_for_token(auth_code)
log_user_in(access_token)
return "Logged in successfully!"
Detection
- Trace the OAuth flow: Start at the point where your application redirects to the OAuth provider.
- Is a
stateparameter being generated? - Is it cryptographically random and unpredictable?
- Is a
- Examine the callback endpoint:
- Does it retrieve the
statefrom the incoming request? - Does it compare it to a value stored in the user's session before the redirect?
- Is the comparison done in constant time (
hmac.compare_digest) to prevent timing attacks? - Is the state value single-use (i.e., deleted from the session after being checked)?
- Does it retrieve the
Prevention
- [ ] Always use
stateparameter: Required in all OAuth/OIDC authorization requests. - [ ] Generate cryptographically random
state: Minimum 32 characters. Never use predictable values (user ID, timestamp). - [ ] Bind to session: Store
statein session cookie before redirect. - [ ] Strictly validate on callback: Compare request
statewith session value. Reject mismatches. - [ ] Make single-use: Remove from session after validation to prevent replay attacks.
- [ ] Use PKCE for public clients: SPAs and mobile apps require PKCE (Proof Key for Code Exchange) in addition to
state.
Related Security Patterns & Anti-Patterns
- Session Fixation Anti-Pattern: A successful OAuth CSRF attack is a form of session fixation.
- Insufficient Randomness Anti-Pattern: The
stateparameter must be generated with a cryptographically secure random number generator. - Missing Authentication Anti-Pattern: OAuth is a form of authentication, and its flows must be implemented correctly to be secure.
References
- OWASP Top 10 A07:2025 - Authentication Failures
- OWASP GenAI LLM06:2025 - Excessive Agency
- OWASP API Security API2:2023 - Broken Authentication
- OWASP OAuth Cheat Sheet
- CWE-352: Cross-Site Request Forgery
- CAPEC-103: Clickjacking
- PortSwigger: Oauth
- OAuth 2.0 Security Best Practices
- Source: sec-context
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026