Collaborate Disseminate
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
The client stores… Continue reading can we use access token as session cookie in browser? and how to protect it?
We have a situation of the session_state param on an OpenID Connect/Oauth app is sent on GET. We asked the developers to send it on POST. Developers claim that because standard OIDC/OAuth use 302 redirects, GET is the only option and they … Continue reading Can OpenID session_state be sent on POST?
By Deeba Ahmed
Cloud Security Shakeup: Experts Urge Caution as OAuth Becomes Hacker Playground.
This is a post from HackRead.com Read the original post: Microsoft: Storm-1283 Sent 927,000 Phishing Emails with Malicious OAuth Apps
Continue reading Microsoft: Storm-1283 Sent 927,000 Phishing Emails with Malicious OAuth Apps
Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. Abusing OAuth applications OAuth is an open standard authentication protocol that uses tokens to grant app… Continue reading Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns
I am trying to ascertain if Google Cloud Pub/Sub supports OAuth 2.0 with Mutual TLS (mTLS). Despite conducting an internet search, I couldn’t find any pertinent information regarding mTLS support (it currently only supports OAuth 2.0). Doe… Continue reading Mtls in Google Cloud pub/sub oauth 2.0
I’ve read some blogs and did some labs regarding OAuth’s implicit flow,
but it seems to me everyone just turn a blind eye to a very critical point in the flow.
Assuming that site A uses the implicit flow for authentication,
it will redirec… Continue reading Isn’t there a critical built-in vulnerability in OAuth’s Implicit flow?
We’ve talked a few times here about the issues with the CVSS system. We’ve seen CVE farming, where a moderate issue, or even a non-issue, gets assigned a ridiculously high …read more Continue reading This Week in Security: CVSS 4, OAuth, and ActiveMQ
Considering an attacker may be able to leverage the information gathered from standard endpoints/configuration files such as /.well-known/oauth-authorization-server and /.well-known/openid-configuration, is it considered best practice to n… Continue reading Should standard OAuth endpoints/configuration files be kept private?
By Deeba Ahmed
The critical API security flaws in the social sign-in and OAuth (Open Authentication) implementations affected high-profile companies like…
This is a post from HackRead.com Read the original post: Social Login Flaws in Popular Webs… Continue reading Social Login Flaws in Popular Websites Risked Billions of User Accounts
During a pentest I have found a JWT that seems to be a refresh-token issued by some IAM software.
The scope field in the JWT lists all the applications as URLs that this token can be used to obtain access tokens for.
From an attacker persp… Continue reading URLs in JWT scope