OAuthOrNot is a deliberately vulnerable web‑application sandbox that mimics a real‑world admin portal. Built with modern frameworks (Next.js + NextAuth) and powered by a simulated admin dashboard, the environment showcases how everyday OAuth 2.0 configurations can become attack vectors when they’re not locked down properly.
Why I created OAuthOrNot
OAuth has become the de‑facto standard for delegating authentication to third‑party providers such as GitHub, Google, or Microsoft. While the protocol itself is robust, many implementations slip on the surrounding details: redirect‑URI validation, CSRF handling, or output sanitization. Those gaps are precisely where the door is opened for attackers.
OAuthOrNot was created to give security enthusiasts, students, and professionals a compact, realistic environment where they can:
- Observe a full OAuth 2.0 Authorization Code flow in action.
- Identify common misconfigurations (open redirect URIs, static CSRF tokens, reflected XSS).
- Understand how simple but badly designed UI elements (e.g. a status message) can become a puzzle piece for exploitation.
By focusing on a single, well‑scoped scenario, the environment keeps the learning curve gentle while still exposing the depth of OAuth‑related attack surfaces.
What do you stand to gain from OAuthOrNot?
| Learning Goal | Experienced in OAuthOrNot |
|---|---|
| How the OAuth 2.0 flow works | Watch the series of requests from provider discovery, CSRF token fetch, OAuth URL generation, GitHub redirection, and final callback. |
| Importance of redirect-URI validation | See how accepting any path on the same domain opens the door to arbitrary redirects. |
| XSS in OAuth helpers | Discover a reflected XSS on a status-page that can be leveraged to exfiltrate sensitive data. |
| Chaining vulnerabilities | Combine a lax redirect policy with XSS to achieve a full account takeover, illustrating how multiple minor bugs amplify each other. |
| Secure development | Walk away with concrete checklist items; strict URI whitelists, per‑request CSRF tokens, proper output encoding, that harden real deployments. |
Who should try it
- Newcomers to pentesting looking for a self-contained, complete lab that covers both OAuth theory and practical exploitation.
- Security educators who need a reproducible demo to illustrate OAuth weaknesses without exposing production systems.
- Developers interested in seeing how their authentication stack behaves under adversarial conditions.
The project is pre-alpha and currently only distributed to a select few users. Check back soon for more updates, meanwhile, please check out the docs!