From soundcheck
Reviews OAuth2/OIDC implementations for security issues including weak JWT validation, loose redirect URI matching, missing state parameters, and unsafe token storage.
npx claudepluginhub thejefflarson/soundcheck --plugin soundcheckThis skill uses the workspace's default tool permissions.
Prevents authentication bypasses from weak JWT validation, open redirects from loose
Tests OAuth 2.0 and OpenID Connect implementations for flaws like redirect URI manipulation, CSRF, token leakage, scope elevation, and PKCE bypass. For security audits of auth servers and client apps.
Tests OAuth 2.0/OIDC implementations for authorization code interception, PKCE bypass, open redirect chains, token leakage, state CSRF, token substitution, JWT confusion, implicit flow theft, and misconfigurations in bug bounty targets.
Tests OAuth 2.0 and OpenID Connect implementations for security flaws like authorization code interception, redirect URI manipulation, CSRF, token leakage, scope escalation, and PKCE bypass. Useful for OAuth security audits with Python scripts and Burp Suite.
Share bugs, ideas, or general feedback.
Prevents authentication bypasses from weak JWT validation, open redirects from loose
redirect_uri matching, and CSRF from missing state parameters. These flaws allow
account takeover and session hijacking.
jwt.decode(token, key, algorithms=["none"]) — algorithm confusion bypasses signatureredirect_uri.startswith(allowed) — prefix match allows evil-example.com bypassjwt.decode(token, key) — no algorithm restriction or audience checklocalStorage — accessible to any XSS payloadstate parameter generated or validated — CSRF against OAuth flowFlag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:
none and rejects switching between symmetric and asymmetric
families (the classic HS256/RS256 public-key-as-HMAC attack). For broader JWT
handling guidance, see the authentication-failures skill.startswith), substring matching, and regex matching all have known bypass
classes — evil-example.com, percent-encoded tricks, userinfo smuggling. The
only safe comparison is exact string equality against a set of registered
URIs.aud (audience) and required claims. A token
minted for a different service of the same issuer will validate the
signature; only the audience check catches the confused-deputy case. Require
exp, iat, sub at minimum.state, store it in the session before redirect, compare it on the
callback. Without this the OAuth flow is CSRF-forgeable.localStorage. Web storage is readable by any same-origin script, so one
XSS compromise exfiltrates every token.Anchor — shape, not implementation:
# callback
require(request.state == session.pop("oauth_state"))
require(request.redirect_uri in ALLOWED_REDIRECT_URIS) # exact match
claims = jwt_decode(token, pubkey,
algorithms=["RS256"], audience=MY_AUD,
require=["exp","iat","sub"])
Confirm the response:
algorithms= is an explicit allowlist — never includes "none"redirect_uri checked with exact match against an allowlist setaudience validated in every JWT decode callstate parameter generated and validated against stored session value