Am 04.05.20 um 19:54 schrieb Neil Madden: > I mentioned another one in my recent email - BREACH attacks against > HTTP compression being used to steal access tokens in transit. Excellent point, I added that one. > > There’s a variant of the online XSS attacks in which the attacker just > proxies requests through the victim’s browser
That was the attack that should have been described under "Online XSS" in the first place. I somehow got confused along the way. Exfiltration of precomputed values is definitely /not/ "Online XSS". > (https://beefproject.com) rather than exfiltrating tokens/proofs. As a sidenote: BeEF is not really XSS but requires a full browser compromise. Thanks for the feedback! -Daniel > You can protect against exfiltration attacks by e.g. token binding the > DPoP proofs and/or access token, or storing the access token in a > HttpOnly cookie (gasp!). You can protect against exfiltrating > post-dated DPoP proofs by storing the private key in a separate origin > loaded in an iframe that you use postMessage to ask for proof tokens > so the attacker is not in control of those claims. Nothing really > protects against an attacker proxying requests through your browser, > so this is purely post-compromise recovery rather than an actual > defence against XSS. > > — Neil > >> On 4 May 2020, at 18:24, Daniel Fett <f...@danielfett.de >> <mailto:f...@danielfett.de>> wrote: >> >> Hi all, >> >> as mentioned in the WG interim meeting, there are several ideas >> floating around of what DPoP actually does. >> >> In an attempt to clarify this, if have unfolded the use cases that I >> see and written them down in the form of attacks that DPoP defends >> against: >> https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html >> >> Can you come up with other attacks? Are the attacks shown relevant? >> >> Cheers, >> Daniel >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth