Collaborate Disseminate
Here is the scenario:
Server A is an authentic server (A.com).
Server F is a fake server (F.com) that also has a valid cert for
F.com has a copy of A.com certificate to it (to fake as A.com).
Client C is trying to connect to A.com via a r… Continue reading Detect invalid cert Android client if URL being redirected to a fake server
I am currently working on a sign-up flow on Auth0 where I need to get GDPR consent after a person does a social login. We can run serverless functions using their Actions that check if GDPR has been consented and redirects to a custom site… Continue reading Redirect security with opaque state token to SPA on login
OAuth2 requires clients to register allowed values for redirect_uri.
Otherwise, an attacker could receive the authorization code. For example:
https://authorization.example/oauth/authorize
?client_id=abc
&response_type=code
&redire… Continue reading Why doesn’t client_secret prevent authorization code OAuth2 redirect attacks?
I have used axios to send a POST request after pressing a button. I want to make sure not to send the data again after refreshing the page or clicking the button right after.
When I refresh the page or click the button the data is not bein… Continue reading Why isn’t the data sent again after resfresh page in a POST request [migrated]
One of our company sites redirects all bad URLs back to the login page which is required to even access the site. Is this insecure? It feels like it may cause some weird issues as I have never seen this before or at least be bad practice. … Continue reading Is redirecting back to login page bad practice/insecure
Our work e-mail server has started rewriting links in incoming mail through a redirecting gateway, for "security reasons": if I receive an e-mail containing a link to
https://security.stackexchange.com, the link gets rewritten to… Continue reading Is URL rewriting in e-mail a sound security practice?
On Quora, when I want to sign in using Google, I am redirected to this URL, which has a parameter client_id=917071888555.apps.googleusercontent.com.
Similarly, reddit takes me here, which has client_id=705819728788-b2c1kcs7tst3b7ghv7at0hkq… Continue reading Do sites like reddit and Quora expose their Google API client keys to the public?
If client/browser trying to access http via 80, most likely it will be redirected to https/443 due to server configuration.
Will browser actually automatically establish new connection to port 443 or reuse the previous connection?
How exac… Continue reading Will browser establish new TCP connection when being redirected from http to https? [closed]
I’m using Keycloak for my authentication needs. It allows me to use * as wildcard when whitelisting redirect_uris for OIDC clients. What are the risks of using * in context path of redirect_uri? For example, what could attacker do if I reg… Continue reading What are the risks of using wildcard in context path of OIDC/OAuth redirect_uri?
While working on a site (https://website.com/site/site.apexp) the site redirects through a javascript function:
<html>
<script>
function redirectOnLoad() {
var escapedHash = ”;
var url = ‘https://website.com/s/login?ec… Continue reading Explotation of reload/redirect through javascript