AppSecNotes
Attack OAuth
  1. Identify OAuth is being used.
  2. Check configuration files:
    1. /.well-known/oauth-authorization-server
    2. /.well-known/openid-configuration
  3. Check if email and username can be changed in the /authenticate POST request.
  4. Check if we can redirect victim to our exploit server with any redirect_uri parameter.
  5. Try to link victim's social account to ours by exploring the /oauth-linking endpoint when it doesn't have any state parameter protection if an "attach social profile" functionality exists.
  6. Analyse the flow and check PortSwigger for examples of more attacks.