"><script>alert("OAuth 2.0")</script>

# "><script>alert("OAuth 2.0")</script> > by @whoamins - @helloSOC # Playgrounds https://developers.google.com/oauthplayground/ https://developers.google.com/oauthplayground/ # Vuln labs https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications/blob/master/insecureapplication/README.md https://portswigger.net/web-security/oauth # Bug Bounty Writeups http://philippeharewood.com/swiping-facebook-official-access-tokens/ https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/ https://lightningsecurity.io/blog/password-not-provided/ hackerone.com/reports/2575/ https://gitlab.com/gitlab-org/gitlab/-/issues/37038 https://hackerone.com/reports/317476 https://ninetyn1ne.github.io/2022-02-21-oauth-postmessage-misconfig/ https://hackerone.com/hacktivity?querystring=OAuth%202.0 # Videos [MAIN Vulnerabilities of mobile OAuth 2 0 Nikita Stupin](https://www.youtube.com/watch?v=Lx98fLZBRfI) [FAST OAuth2 0@2018 You are doing it wrong Aleksey Chernykh](https://www.youtube.com/watch?v=i5MxSKbgFLk) # RFCs > Copied from https://t.me/road_oscp [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749) [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) [Иллюстрированная схема PAR](https://darutk.medium.com/illustrated-par-oauth-2-0-pushed-authorization-requests-652d71ed5cfb) [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252) [OAuth 2.0 for browser-based apps (draft)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-09) [Security current best practices (draft)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19) [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) [The OAuth 2.1 Authorization Framework](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05) # Blog Posts [Безопасность мобильного OAuth 2.0](https://habr.com/ru/company/vk/blog/417031/) [OAuth в мобильных приложениях ](https://habr.com/ru/company/kts/blog/654029/)