1. Reusing Authorization Token ⇒ /code=<code here>

• Sometimes client doesn't expire Tokens
• Just intercept OAuth flow and sent /code=<code-here> to Repeater
• And now check by sending request again with repeater
• If it give correct result then there is flaw

2. Redirect_uri not being Validated

• During OAuth flow , just try to change redirect_uri to attacker's controllable domain to check if this validating it properly or not?
• If this happen , then Attacker will get /code=<code here> and can use it to login into victim's account
• In real world case, if External Subdomain not allow , then TRY to Change redirect_uri to SUB-DOMAIN of the application OR can try to change to PAGE where we found an XSS Bug or even with OPEN Redirect

3. State Parameter - CSRF Anti token

• Try either change 'state' parameter value or try to remove this parameter to see if application Validating it or not?