OAuth Token Theft
Web 350 pts Advanced — Open Redirect via Prefix Matching
OAuth Server
Authorize Endpoint:
GET /oauth/authorize

Required Parameters:
  client_id=app1
  response_type=token
  redirect_uri=<uri>

Allowed client_id: app1
Legitimate redirect_uri:
https://legitapp.com/callback

Validation method: Prefix match only
Test redirect_uri
Try this URL in your browser
/oauth/authorize?client_id=app1&response_type=token&redirect_uri=https://legitapp.com/callback
Attacker Panel
Craft a malicious OAuth authorize URL. The redirect_uri must start with https://legitapp.com/callback to pass the server's prefix check — but should redirect the victim's token to your server.
Malicious Authorize URL
Hint
The OAuth server validates redirect_uri using a prefix match: uri.startswith("https://legitapp.com/callback")
Any URI beginning with that string passes — including ones that send the token to a different host. Examples: append .evil.com, use @attacker.com, or try path traversal after the prefix.