Three harmless gaps
On their own, an open redirect, a permissive OAuth callback and a token leaked into a referrer header each score low and get deprioritised. A scanner reports them and moves on.
The chain
Cybörü reasoned about them together: the redirect bounced the victim through the permissive callback, the callback echoed the token into a destination it controlled, and the leaked token completed a session hijack. Low + low + low = critical.
The lesson
Severity is a property of paths, not findings. Anything that scores each gap in isolation is structurally blind to the impact that matters most.
See it on your own surface.
Book a live run and watch Cybörü prove what's exploitable.
Test Your Security