Why OAuth bugs pay so well
The login page is the front door of every modern application. A flaw in the OAuth flow gives a hunter silent account takeover — no phishing required, no user interaction beyond a single click. That is why OAuth findings reliably sit in the highest payout bracket of every public bug bounty program.
The three flows you will see in the wild
The Authorization Code flow with PKCE is what modern single-page apps and mobile apps use. The vulnerable surfaces are the redirect URI, the PKCE code verifier and any storage of the authorization code in a place an attacker can read.
The classic Authorization Code flow without PKCE is still used by server-side applications. Here the client secret is the additional trust anchor; if it leaks, the attacker can impersonate the application against the identity provider.
The Implicit flow is deprecated but still alive, especially in legacy enterprise dashboards. It returns the access token directly in the URL fragment, which means any leak path — Referer headers, browser history, service workers — exposes the token.
The four trust anchors
Every OAuth flow rests on four inputs. The client_id is public and identifies the application. The redirect_uri must match a registered allow-list and is where the authorization code or token is delivered. The state parameter is a CSRF defence that the client generates and verifies. The code_verifier in PKCE flows is a cryptographic proof that the same client requesting the code is the one redeeming it.
Break any one of those four anchors and you usually get a working takeover. The next three lessons walk through each anchor and the bypasses that ship in real applications today.
