Could you describe an attack scenario, please? I don't know what 'token shooting' means. And I don't understand the vulnerability to a replay attack.
On Apr 17, 4:05 pm, Dossy Shiobara <[email protected]> wrote: > ... I just want to eliminate replay attacks - you're absolutely > right, the callback is a form of IPC to the consumer ... which > presumably will go on to perform other tasks once it receives the > signal. Depending on what those tasks are, it's very desirable to be > able to tell if the callback was legitimate or either a replay attack > or a brute-force token shooting attack. > > Even client-side browser cookies may not win here if a simple session > fixation attack is coupled with the token shooting attack. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
