Re: [OAUTH-WG] Multi-AS State Re-Use

Wed, 11 May 2016 15:04:07 -0700 

Well hey now.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
is one of the more popular resources on CSRF at OWASP.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) is
also pretty popular and points to a wide variety of resources on the topic.

If anyone sees any flaws in these or otherwise would like to help make
these better, please drop me a line. I serve on the OWASP board.

Aloha, Jim Manico



On 5/11/16 11:59 AM, Nat Sakimura wrote:
> Agreed. Also, pointing to OWASP guide or something for CSRF token may
> be useful.
> On Tue, May 10, 2016 at 11:37 Daniel Fett <[email protected]
> <mailto:[email protected]>> wrote:
>
>     Regardless of what state actually is, the documentation (also the one
>     for OIDC) should make clear that the same state should not be sent to
>     two different AS, and that a state issued for AS #1 should be invalid
>     for AS #2.
>
>     Am 10.05.2016 um 09:31 schrieb Anthony Nadalin:
>     > STATE can be anything, it does not have to be a NONCE so
>     changing this
>     > would cause issues at this time for existing deployments
>     >
>     >
>     >
>     > *From:*OAuth [mailto:[email protected]
>     <mailto:[email protected]>] *On Behalf Of *Nat Sakimura
>     > *Sent:* Monday, May 9, 2016 7:34 PM
>     > *To:* Guido Schmitz <[email protected]
>     <mailto:[email protected]>>; [email protected] <mailto:[email protected]>
>     > *Subject:* Re: [OAUTH-WG] Multi-AS State Re-Use
>     >
>     >
>     >
>     > As far as I am aware of, state was meant to be nonce. Replay
>     possibility
>     > etc. were known. It is probably a bad documentation that every
>     reviewers
>     > missed because they were assuming it.
>
>
>     --
>     Informationssicherheit und Kryptografie
>     Universität Trier - Tel. 0651 201 2847 - H436
>
>     _______________________________________________
>     OAuth mailing list
>     [email protected] <mailto:[email protected]>
>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
> Nat Sakimura
> Chairman of the Board, OpenID Foundation
> Trustee, Kantara Initiative
>
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to