I mentioned another one in my recent email - BREACH attacks against HTTP compression being used to steal access tokens in transit.
There’s a variant of the online XSS attacks in which the attacker just proxies requests through the victim’s browser (https://beefproject.com <https://beefproject.com/>) rather than exfiltrating tokens/proofs. You can protect against exfiltration attacks by e.g. token binding the DPoP proofs and/or access token, or storing the access token in a HttpOnly cookie (gasp!). You can protect against exfiltrating post-dated DPoP proofs by storing the private key in a separate origin loaded in an iframe that you use postMessage to ask for proof tokens so the attacker is not in control of those claims. Nothing really protects against an attacker proxying requests through your browser, so this is purely post-compromise recovery rather than an actual defence against XSS. — Neil > On 4 May 2020, at 18:24, Daniel Fett <f...@danielfett.de> wrote: > > Hi all, > > as mentioned in the WG interim meeting, there are several ideas floating > around of what DPoP actually does. > > In an attempt to clarify this, if have unfolded the use cases that I see and > written them down in the form of attacks that DPoP defends against: > https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html > <https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html> > Can you come up with other attacks? Are the attacks shown relevant? > > Cheers, > Daniel > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
