Skip to main content
Run any Skill in Manus
with one click

oauth-oidc-saml-flaws

Stars2
Forks1
UpdatedJuly 9, 2026 at 12:42

SAST detection methodology for federated-auth flaws in OAuth 2.0, OpenID Connect, and SAML (CWE-347/352/601), including missing/replayable state (login CSRF), missing PKCE, weak redirect_uri validation, implicit-flow token leakage, SAML signature wrapping (XSW) and unsigned/comment-injection assertions, unvalidated audience/issuer/nonce on ID tokens, confused-deputy across IdPs, and client_secret exposure. Use when reviewing OAuth/OIDC/SAML login and callback code. Writes confirmed findings to findings/23-oauth-oidc-saml-flaws.md.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

SKILL.md
readonly