Re: [OAUTH-WG] State Leakage Attack

I did talk about using “jti" for state replay protection in https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-05 Not that any developer looks at that ID, but I should probably expand the advice for replay

Re: [OAUTH-WG] State Leakage Attack

I described a similar attack at the meeting in Darmstadt. Using stolen state to inject code from a different session. We were calling that the cut and paste attack. The proposed mitigation is ing the draft that Mike and I did. This was based on the attacker making a new request in a

Re: [OAUTH-WG] State Leakage Attack

Understood. Thanks. So this is basically a way to circumvent XSRF protection. OWASP has an excellent description of the attack and mitigations https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet - It recommends per-request CSRF tokens for state changes via GET requests. Same