Standard OAuth Flows Easy
Four canonical OAuth 2.0 response_type / response_mode combinations against Client 1.
Standard OpenID Connect Flows Easy
The same four flow shapes layered with OpenID Connect β Client 1 plus one Client 2 reference.
Advanced OpenID Connect Flows Easy
Variants that add an extra security primitive on top of the standard authorization-code flow.
Server-side attacks against the OpenID Provider. Each card groups a single attack family β click `π‘ Hint?` if you're stuck.
- π© Flag β this task hides a CTF flag. Solve the attack and the flag appears on the success page (or the endpoint named in the task).
- π€ Bot β the real flag only unlocks when the victim bot (it logs in as
oemmes) walks the attack. Running it against your own account still pays a dummy flag for proof-of-technique. Paste your finished attack URL on the π€ Attacks using Victim-Bot tab to fire it at the bot.
Web Attacks Easy β Medium
Consent-page bypass, server-side XSS and clickjacking variants against the IdP.
Bypass Consent
XSS
flag on the consent page, so your payload has to read document.cookie and exfiltrate it to a server you control. Self-attacking only leaks a dummy value β the real flag is only set when oemmes loads your payload, so send the bot.
Clickjacking
Redirect Attacks Easy β Hard
Two families of bugs that let the IdP bounce the victim β or the victim's credentials β to an attacker-controlled URL.
Open Redirects
/verify endpoint to complete the flow and surface the flag on the success page. Self-attack pays a dummy flag; use the bot to obtain the real flag.
307 Redirect
redirect_uri? Worth thinking about the redirect_uri too (might be useful when using the botβ¦). On variant 2 a consent page is in the way. Use the bot π€ to obtain the flag.
Replay Attacks Medium
The IdP fails to single-use authorization codes β issue once, redeem twice.
Client Impersonation Medium
The IdP doesn't bind the registered client_id to the credential proving ownership of it. Start each verifier once as client1 and once as client2 and compare whether the code stays bound to the client it was issued for.
Client Impersonation 1
client_id=client1 or client_id=client2? Start the flow as one client and try to redeem the code as the other.
Client Impersonation 2
client_id=client1 or client_id=client2? Start the flow as one client and try to redeem the code as the other.
Client-side attacks against the Service Provider / OAuth client. Each card groups one attack family β pick a task, click `π‘ Hint?` if you're stuck.
- π© Flag β this task hides a CTF flag. Solve the attack and the flag appears on the success page (or the endpoint named in the task).
- π€ Bot β the real flag only unlocks when the victim bot (it logs in as
oemmes) walks the attack. Running it against your own account still pays a dummy flag for proof-of-technique. Paste your finished attack URL on the π€ Attacks using Victim-Bot tab to fire it at the bot.
Web Attacks Medium
Classic browser-side weaknesses layered on top of the OAuth flow.
CSRF
state and nonce β reusing the values from another session, swapping them with custom ones, or just removing them entirely?
Redirect Attacks
/flag endpoint?
Replay Attacks Medium
The SP fails to detect that the same authentication artefact is being used twice.
ID Token Attacks Easy β Hard
The SP receives an id_token from the IdP. Each sub-section attacks a different validation step.
Wrong Recipient
βοΈ Setup
For this task, you need to receive tokens like a malicious client. You can use any website you control for this purpose, e.g., the Catcher.
π© Receive a flag by redeeming a token that was issued for the wrong client.
aud claim), or will it swallow a token addressed to a different client? Capture a token issued for another client, then replay it here.
- In the setup box above, put a Catcher URL you control in
redirect_uriand keepclient_id=evilClientβ a sloppily-registered client (client_secret=secret-attacker-org) the IdP lets use any redirect_uri. Click Save. - Start Wrong Recipient 1/2: the honest IdP authenticates the logged-in user and delivers an id_token with
aud=evilClientto your Catcher. Save that id_token. - Click Reset (the links revert to the honest
client1flow), start Wrong Recipient 1/2 again, and in the authorization response swap the IdP-issued token for your captured one. Wrong Recipient 1 trustsaudblindly; Wrong Recipient 2 only requiresaudto be a known client (evilClientpasses, a random value is rejected).
Get the dummy flag first, then the real one. Run the whole captureβreplay against your own login (any subject other than oemmes): you can see your Catcher and every token, so you can debug the flow until it works β a success drops a dummy flag (FLAG{oidc_trc_1_dummy}) that proves your exploit is sound. Only once that works, repeat the exact same attack while driving the π€ Oemmes Bot so the captured token carries sub=oemmes, which yields the real flag. With the bot you are blind β you never see its browser β so never try to debug against it.
Signature Exclusion
sub=oemmes β you have to impersonate the victim, not merely defeat the signature check.
Key Confusion
sub=oemmes β you have to impersonate the victim, not merely defeat the signature check.
Insecure Key
sub=oemmes β you have to impersonate the victim, not merely defeat the signature check.
Challenges Master
Open-ended scenarios. No step-by-step hints β combine what you learnt in the earlier sections.
Advanced Verification Master
Nothing here yet. Come back later.
oemmes and walks the same flow on its own session;
the real flag only unlocks when the bot β not your own
account β is the authenticated subject. The bot enforces an
allow-list of sp_verifier/idp_verifier
pairs server-side, so URLs whose verifier combination isn't a
designed attack are rejected.
π€ Submit an attack URL to the bot
Build the exploit against yourself first against one of the
π€-marked attacks in the
Attacks against IdPs / Attacks against Clients
tabs and observe the
dummy flag, then paste the attack URL here to fire it at the
bot β it logs in as oemmes and walks the same flow you did.
The real flag will appear in your captured-token endpoint. URL must
point to the honest IdP (idp.e-hacking.de); SP / catcher
URLs are rejected server-side.
Same attack catalogue as the previous tabs, but executed against a malicious Identity Provider you control. Two extra families (ID Spoofing, Cross-Phase Attacks) only show up here because they need attacker-issued tokens or attacker-served metadata.
- π© Flag β this task hides a CTF flag. Solve the attack and the flag appears on the success page (or the endpoint named in the task).
- Exclusive with mIdP β only solvable from this tab, where you control the Identity Provider.
βοΈ Setup: Custom IdP Configuration
The Client will discover the IdP by appending /.well-known/openid-configuration
to whatever you save below.
Need an mIdP instance? Spin up a Catcher and enable its mIdP bundle:
https://e-attacker.de:443/signup.
Standard OAuth Flows Easy
Four canonical OAuth 2.0 response_type / response_mode combinations against Client 1.
Standard OpenID Connect Flows Easy
The same four flow shapes layered with OpenID Connect β Client 1 plus one Client 2 reference.
Advanced OpenID Connect Flows Easy
Variants that add an extra security primitive on top of the standard authorization-code flow.
Client-side attacks against the Service Provider / OAuth client. Each card groups one attack family β pick a task, click `π‘ Hint?` if you're stuck.
Web Attacks Medium
Classic browser-side weaknesses layered on top of the OAuth flow.
CSRF
state and nonce β reusing the values from another session, swapping them with custom ones, or just removing them entirely?
Redirect Attacks
Replay Attacks Medium
The SP fails to detect that the same authentication artefact is being used twice.
ID Token Freshness Exclusive with mIdP Easy
You own the IdP β mint tokens with arbitrary time claims and see which of them the SP actually validates. The timestamps also have to form a coherent chain.
Expiration (exp)
exp set to the year 1999.
Not Before (nbf)
nbf means not before. Are tokens accepted that would only become valid in the year 2100?
ID Token Attacks Easy β Hard
The SP receives an id_token from the IdP. Each sub-section attacks a different validation step.
Wrong Recipient
aud claim), or will it swallow a token addressed to a different client? Capture a token issued for another client, then replay it here.
- In the setup box above, put a Catcher URL you control in
redirect_uriand keepclient_id=evilClientβ a sloppily-registered client (client_secret=secret-attacker-org) the IdP lets use any redirect_uri. Click Save. - Start Wrong Recipient 1/2: the honest IdP authenticates the logged-in user and delivers an id_token with
aud=evilClientto your Catcher. Save that id_token. - Click Reset (the links revert to the honest
client1flow), start Wrong Recipient 1/2 again, and in the authorization response swap the IdP-issued token for your captured one. Wrong Recipient 1 trustsaudblindly; Wrong Recipient 2 only requiresaudto be a known client (evilClientpasses, a random value is rejected).
Get the dummy flag first, then the real one. Run the whole captureβreplay against your own login (any subject other than oemmes): you can see your Catcher and every token, so you can debug the flow until it works β a success drops a dummy flag (FLAG{oidc_trc_1_dummy}) that proves your exploit is sound. Only once that works, repeat the exact same attack while driving the π€ Oemmes Bot so the captured token carries sub=oemmes, which yields the real flag. With the bot you are blind β you never see its browser β so never try to debug against it.
ID Spoofing Exclusive with mIdP Medium
You own the IdP β mint tokens with arbitrary claims and see which ones the SP trusts to identify you. ID Spoofing 1β2: win on sub=superadmin AND iss=https://superadmin.e-hacking.de. ID Spoofing 3β4: even when sub and iss are securely verified, there can be other claims to become a superadmin.
Cross-Phase Attacks Exclusive with mIdP Hard
Endpoint manipulation, IdP confusion, mix-up β possible only when you control the discovery / metadata phase.
