hi On Apr 25, 2016, at 3:01 PM, Daniel Fett <[email protected]> wrote:
> Am 24.04.2016 um 22:31 schrieb John Bradley: >> I described a similar attack at the meeting in Darmstadt. Using stolen >> state to inject code from a different session. >> >> We were calling that the cut and paste attack. The proposed mitigation is >> ing the draft that Mike and I did. >> >> This was based on the attacker making a new request in a different user >> agent and using that state. >> >> In open redirectors draft we do talk about referrer leaking info, and >> methods to address that. >> >> Checking referrer is a weak protection at best, as that is easily faked in >> many circumstances. > > Note that we do not propose checking the referrer as a mitigation; we > propose using the referrer policy (at the client) to suppress the > referrer (just as in the open redirector draft where it is used at the > AS). So the recommendation here is to use the referrer policy also at > the client. and just as a corollary Internet Explorer doesn’t seem to support the referrer policy. Maybe Edge… regards antonio > >> Are you saying that the proposed mitigation of the AS tying state to code is >> not sufficient? > > Yes, it is not sufficient as an attacker can request a new code for his > own account at the AS for the same state. > > (Note that from draft-bradley-oauth-jwt-encoded-state-05 it does not > become clear how the JTI value comes into play here; you should probably > add some clarification on generating this value and how to check it. An > example would be good.) > > -Daniel > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
