Craft a malicious OAuth authorize URL. The redirect_uri must start with
https://legitapp.com/callback to pass the server's prefix check — but should redirect
the victim's token to your server.
Malicious Authorize URL
Hint
The OAuth server validates redirect_uri using a prefix match:
uri.startswith("https://legitapp.com/callback")
Any URI beginning with that string passes — including ones that send the token to a different host.
Examples: append .evil.com, use @attacker.com, or try path traversal after the prefix.