Web Client

Standard authentication flows against the honest Identity Provider. Use these to get a feel for how OAuth 2.0 and OpenID Connect normally behave before working through the attack tabs.

Standard OAuth Flows Easy

Four canonical OAuth 2.0 response_type / response_mode combinations against Client 1.

Flow 1: Client 1Easy Flow 2: Client 1Easy Flow 3: Client 1Easy Flow 4: Client 1Easy

Standard OpenID Connect Flows Easy

The same four flow shapes layered with OpenID Connect — Client 1 plus one Client 2 reference.

Flow 1: Client 1Easy Flow 2: Client 1Easy Flow 3: Client 1Easy Flow 4: Client 1Easy Flow 1: Client 2Easy

Advanced OpenID Connect Flows Easy

Variants that add an extra security primitive on top of the standard authorization-code flow.

PKCEEasy

Server-side attacks against the OpenID Provider. Each card groups a single attack family — click `💡 Hint?` if you're stuck.

Web Attacks Easy – Hard

Consent-page bypass, server-side XSS and clickjacking variants against the IdP.

Bypass Consent

💡 Hint?

Check the OIDC Core Spec §3.1.2.1 — one parameter there asks the IdP to render no UI at all. There's also a non-spec route: what does the consent page POST to when the user clicks Authorize?

Bypass Consent PageEasy🚩Server-side XSSMedium🚩🤖

Clickjacking

💡 Hint?

Each variant drops a different frame-protection mechanism. What protects an IdP from being rendered inside an attacker's iframe?

Clickjacking 1Hard Clickjacking 2Hard Clickjacking 3Hard Clickjacking 4Hard

Redirect Attacks Easy – Hard

Two families of bugs that let the IdP bounce the victim — or the victim's credentials — to an attacker-controlled URL.

Open Redirects

💡 Hint?

How does the IdP decide whether a URL matches the allow-list? String prefix? Host equality? URL parser? And do those agree with how the browser parses the URL? Once you've leaked the code somewhere you control: a code is identity. Replay it back at the SP's /verify endpoint to complete the flow and surface the flag on the success page. Self-attack pays a dummy flag; use the bot to obtain the real flag.

Open Redirect 1Easy🚩🤖Open Redirect 2Medium🚩🤖Open Redirect 3Medium🚩🤖Open Redirect 4Hard🚩🤖

307 Redirect

💡 Hint?

What does HTTP 307 do that 302/303 doesn't (RFC 9700 §4.12)? When the IdP answers the login POST with a 307, what's in the body the browser replays to redirect_uri?

307 Redirect 1Easy 307 Redirect 2Medium🚩🤖

Replay Attacks Medium

The IdP fails to single-use authorization codes — issue once, redeem twice.

💡 Hint?

Once the SP has exchanged a code for a token, what should happen the next time the same code is presented?

Code Reuse 1Medium Code Reuse 2Medium

Client Impersonation Medium

The IdP doesn't bind the registered client_id to the credential proving ownership of it.

💡 Hint?

How does the token endpoint decide which client is talking to it?

Client Impersonation 1Medium Client Impersonation 2Medium

Client-side attacks against the Service Provider / OAuth client. Each card groups one attack family — pick a task, click `💡 Hint?` if you're stuck.

Web Attacks Medium

Classic browser-side weaknesses (CSRF, covert redirect) layered on top of the OAuth flow.

💡 Hint?

Could the attacker convince the user's browser to start an OAuth flow it didn't ask for? And once a flow is finished, where does the response actually end up? For the CSRF variants: what about state and nonce — reusing the values from another session, swapping them with custom ones, or just removing them entirely?

Cross-Site Request Forgery 1Medium🚩Cross-Site Request Forgery 2Medium🚩Covert RedirectMedium🚩🤖

Replay Attacks Medium

The SP fails to detect that the same authentication artefact is being used twice.

💡 Hint?

If a code/state/nonce can be issued, what stops it from being redeemed a second time? And do two sessions share anything they shouldn't?

Replay Attack 1Medium🚩Replay Attack 2Medium🚩Replay Attack 3Medium🚩Replay Attack 4Medium🚩

ID Token Attacks Easy – Hard

The SP receives an id_token from the IdP. Each sub-section attacks a different validation step.

Wrong Recipient

💡 Hint?

Whose token did you actually receive? The aud claim names the client a token was minted for — but does the SP check that this matches itself? The real win needs an id_token minted by the honest IdP for a different client, with the bot as the authenticated user. The IdP has a sloppily-registered client you can use: client_id=evilClient, client_secret=secret-attacker-org, with no redirect_uri match — point it at any catcher subdomain you own to capture oemmes's tokens, then replay the id_token here.

Wrong Recipient 1Medium🚩🤖Wrong Recipient 2Medium🚩🤖

Signature Exclusion

💡 Hint?

Perhaps some insecure signing algorithms are supported? And what about different speLliNgS of the algorithm?

Signature Bypass 1Easy🚩Signature Bypass 2Easy🚩Signature Bypass 3Easy🚩

Key Confusion

💡 Hint?

Perhaps a confusion between symmetric and asymmetric cryptography is applicable. There was an interesting bug recently, in which the modulus was used for HMAC verification. The PEM format is just so simple and intuitive, too. Sometimes secrets are base64-encoded — make sure to check the secret base64 encoded checkbox on JWT.io.

Signature Bypass 4Medium🚩Signature Bypass 5Medium🚩

Insecure Key

💡 Hint?

Trust establishment is essential for JWTs. Generating your own key should be no problem for you.

Signature Bypass 6Hard🚩

Challenges Master

Open-ended scenarios. No step-by-step hints — combine what you learnt in the earlier sections.

Steal the tokens via Covert Redirect 1Master Steal the tokens via Covert Redirect 2Master Steal the tokens via XSS on the SPMaster

Advanced Verification Master

Nothing here yet. Come back later.

Same attacks as in the previous tabs, grouped here for the victim-bot flow. The bot logs in as oemmes and walks the attack on its own session; the real flag only unlocks when the bot — not your own account — is the authenticated subject. Self-running these from the attacker account still pays a dummy flag for proof-of-technique. The bot enforces an allow-list of attack_ids server-side, so non-listed verifiers cannot be laundered through it.

Open Redirect Easy – Hard

The IdP's broken redirect_uri validation lets you reroute the auth code to a host you control. Replay the captured code at /verify to log in. Self-attack pays a dummy flag; use the bot (as oemmes) to win the real one.

Open Redirect 1Easy🚩🤖Open Redirect 2Medium🚩🤖Open Redirect 3Medium🚩🤖Open Redirect 4Hard🚩🤖

307 Redirect Medium

The bot logs in as the dedicated account whose password is the flag. Can you steal the flag?

307 Redirect 2Medium🚩🤖

Covert Redirect Medium

The covert redirect after auth completes allows the attacker to leak tokens to an attacker-chosen URL. Can you use this token to get the flag at the /flag endpoint?

Covert RedirectMedium🚩🤖

Server-side XSS Medium

The IdP is XSS-vulnerable and exposes the flag in a cookie. The bot's session holds the real flag; self-attack pays a dummy.

Server-side XSSMedium🚩🤖

Wrong Recipient (Token Recipient Confusion) Medium

The SP fails to check the aud claim. The bot lets you replay a token minted for a different client and pass it off as a valid login.

Wrong Recipient 1Medium🚩🤖Wrong Recipient 2Medium🚩🤖

🤖 Submit an attack URL to the bot

Build the exploit against yourself first against one of the attacks above and observe the dummy flag, then paste the attack URL here to fire it at the bot — it logs in as oemmes and walks the same flow you did. The real flag will appear in your captured-token endpoint. URL must point to the honest IdP (idp.e-hacking.de); SP / catcher URLs are rejected server-side.

Same attack catalogue as the previous tabs, but executed against a malicious Identity Provider you control. Two extra families (ID Spoofing, Cross-Phase Attacks) only show up here because they need attacker-issued tokens or attacker-served metadata.

⚙️ Setup: Custom IdP Configuration

The Client will discover the IdP by appending `/.well-known/openid-configuration` to whatever you save below. Need an mIdP instance? Spin up a Catcher and enable its mIdP bundle: https://e-attacker.de:443/signup.

Standard authentication flows against the honest Identity Provider. Use these to get a feel for how OAuth 2.0 and OpenID Connect normally behave before working through the attack tabs.

Standard OAuth Flows Easy

Four canonical OAuth 2.0 response_type / response_mode combinations against Client 1.

Flow 1: Client 1Easy Flow 2: Client 1Easy Flow 3: Client 1Easy Flow 4: Client 1Easy

Standard OpenID Connect Flows Easy

The same four flow shapes layered with OpenID Connect — Client 1 plus one Client 2 reference.

Flow 1: Client 1Easy Flow 2: Client 1Easy Flow 3: Client 1Easy Flow 4: Client 1Easy Flow 1: Client 2Easy

Advanced OpenID Connect Flows Easy

Variants that add an extra security primitive on top of the standard authorization-code flow.

PKCEEasy

Client-side attacks against the Service Provider / OAuth client. Each card groups one attack family — pick a task, click `💡 Hint?` if you're stuck.

Web Attacks Medium

Classic browser-side weaknesses (CSRF, covert redirect) layered on top of the OAuth flow.

💡 Hint?

Cross-Site Request Forgery 1Medium Cross-Site Request Forgery 2Medium Covert RedirectMedium

Replay Attacks Medium

The SP fails to detect that the same authentication artefact is being used twice.

💡 Hint?

If a code/state/nonce can be issued, what stops it from being redeemed a second time? And do two sessions share anything they shouldn't?

Replay Attack 1Medium Replay Attack 2Medium Replay Attack 3Medium Replay Attack 4Medium

ID Token Attacks Easy – Hard

The SP receives an id_token from the IdP. Each sub-section attacks a different validation step.

Wrong Recipient

💡 Hint?

Wrong Recipient 1Medium Wrong Recipient 2Medium

ID Spoofing Exclusive with mIdP Medium

You own the IdP — mint tokens with arbitrary sub values and see whether the SP accepts them. Flag condition: the SP authenticates a token with sub=superadmin AND iss=https://superadmin.e-hacking.de

ID Spoofing 1Medium🚩ID Spoofing 2Medium🚩

Cross-Phase Attacks Exclusive with mIdP Hard

Endpoint manipulation, IdP confusion, mix-up — possible only when you control the discovery / metadata phase.

Malicious EndpointsHard IdP ConfusionHard Mix-Up AttackHard