Collaborate Disseminate
Basically, I have a webapp which needs to check the validity of the user of an Android app. After completing the basic login flow with Facebook in the Android app, a Facebook access token is sent to the server where it is val… Continue reading Is it possible to get hacked by a redirection placed inside a Facebook Graph URL?
Preloading is a primitive operation. You must preload for a year or more, and “be aware that inclusion in the preload list cannot easily be undone,” according to the registration tool. Therefore, if there is ANY chance of an … Continue reading How can HSTS preloading be avoided?
Here is a link from an SMS I received abev1o.yzv.jp.
This link redirects to a somewhat random website (twitter, youtube, CNN, and others).
I downloaded the page using curl:
https://gist.github.com/serega/aab933c9104e92f18… Continue reading Purpose of this link that redirects to random websites [closed]
I am evaluating the above service design where I want to have mechanism to pass a user through multiple microservices. In this simple example, the user goes through a sign-up process and once done, the user is redirected to another micro… Continue reading Security Considerations To Account for When Redirecting From Microservice to Another
In a recent execution of a spider, Burp reported cleartext submission of a password CWE-319, but the evidence in the report is merely the preceding GET request of a non-existant page, redirected via HTTPS to a login page cont… Continue reading False Positive of Cleartext Submission in (CWE-319) in Burp?
How should the auth server (IDP) report the error if the authorisation request redirect_uri doesn’t match the configured redirect_uri for the given client?
Let’s consider concrete example:
auth.com is the IDP
service.com i… Continue reading How to report error if redirect_uri doesn’t match?
I found a login form on a website that redirects you regardless if the insert credentials are correct or wrong (302 redirect). I noticed that the value of the header Referer: is sent to header Location: in response. So for e… Continue reading Referer value reflected in location response?
I have a site located at
https://gooddomain.com/wonderful?returnPath=goodThings
which redirects me to
https://gooddomain.com/somegoodplace/goodThings
At the server side, the redirect is defined by
String path = request… Continue reading Can a user be redirected to a malicious website if only a part of the url can be controlled by user input?
A user clicked on the link of this email and entered their credentials, thinking the message was legitimate. However, the link didn’t redirect to the fake site, and instead their mail client sent them to the link as it was di… Continue reading How Concerning Is This X-CU-modified: FAKECU Text Attack?
I’ve read a lot about Implicit Grant Flow and when it should be used, but I can’t wrap my head around a use case for where it would have made sense over the Authentication Code Grant Flow before PKCEs were a recommended option.
Here is wh… Continue reading What was the point of Implicit Grant Flow in OAuth 2.0?