Auth BypassBugcrowdoauthredirecttoken-theftbankingauth-flowOPEN

OAuth redirect chain — potential token interception via open redirect in callback flow

During authenticated testing of a banking app, I found that the OAuth callback flow has a redirect parameter that accepts partially validated URLs. While fully external domains are blocked, I found that certain URL patterns using path traversal or subdomain tricks can redirect the callback to an attacker-controlled location, potentially leaking the OAuth authorization code or token fragment. The flow requires user interaction (clicking a crafted link) but the redirect happens after authentication. Need help crafting a reliable PoC that bypasses the current validation and demonstrating token interception.