Collaborate Disseminate
In the OAuth2 Implict Grant flow, the access token is added to the URL fragment as part of the redirect from the Authorization Server to the Relying Party. Since this access token is made visible to the end-user in the Callback URL, this U… Continue reading Detecting session sharing with OAuth2
In the good old days, you made server-side websites using PHP or something like that, now we have modern web apps divided into front-end and back-end (usually API Rest), you can’t rely on CORS because some clients like postman don’t care a… Continue reading How to secure backend API access?
When a re-direct from a HTML/PHP site takes a couple seconds, can a tool edit the ‘Status Code’ header to skip to the site which requires an access-token.? Which tools, COTS or open-source can do it? Which Burp tool option (like Pro level)… Continue reading Tools to intercept a HTTPS GET and change header Status Code during a re-direct?
I have a REST API, which I’ll call "R". R uses Oauth2 Bearer tokens for auth.
However, R has a fairly complex API, so we’re designing a new system called "O" that provides a simpler API. Users will have the choice of ma… Continue reading how to avoid Oauth2 timeouts with orchestrator REST API
Recover Accounts Elsewhere from GitHub has been deprecated. This will be fully removed on December 1st of 2021. [source]
Why was this option removed? Is there some sort of security issue in using this token?
Continue reading Why is Recover Accounts Elsewhere in GitHub removed?
Many resources on the internet state that you should use Access Token and not Id Token to authenticate to an API, but do not provide explicit reasons why. Are there any real drawbacks to use an Id Token for authentication in a case when we… Continue reading OAuth2 – using Id Token for authentication to a backend service
I am currently testing a website that appears to make a refresh token request every time I focus away from the web browser and back, or away from the tab the website is open in and back to it. I’ve confirmed these requests are refreshing m… Continue reading Is there a risk involved in refreshing a JWT token every time you refocus the webpage?
I’m pentesting an android application written in Cordova and while inspecting the network traffic I found some interesting endpoint that I would like to test.
However, this endpoint need a tokenID (ex. eyJ[…].eyJ[…]) and I don’t know w… Continue reading Requiring Google Mobile Service token
I recently came across a source code where they save a user’s refresh token and the access token upon sign in through Google into the database. This is done to access the Google APIs later on through the server.
My question is, isn’t this … Continue reading Is it a good practice to store both the Google Oauth2 access token and the refresh token in the database un hashed?
I need to provide security requirements for public API keys that will be generated by a web application and then used in automation scripts by clients.
The scripts will be run on the endpoints several times a day via a cronjob.
The risk of… Continue reading Security requirements for public API keys