Am 24.04.2016 um 22:31 schrieb John Bradley: > I described a similar attack at the meeting in Darmstadt. Using stolen state > to inject code from a different session. > > We were calling that the cut and paste attack. The proposed mitigation is > ing the draft that Mike and I did. > > This was based on the attacker making a new request in a different user agent > and using that state. > > In open redirectors draft we do talk about referrer leaking info, and methods > to address that. > > Checking referrer is a weak protection at best, as that is easily faked in > many circumstances.
Note that we do not propose checking the referrer as a mitigation; we propose using the referrer policy (at the client) to suppress the referrer (just as in the open redirector draft where it is used at the AS). So the recommendation here is to use the referrer policy also at the client. > Are you saying that the proposed mitigation of the AS tying state to code is > not sufficient? Yes, it is not sufficient as an attacker can request a new code for his own account at the AS for the same state. (Note that from draft-bradley-oauth-jwt-encoded-state-05 it does not become clear how the JTI value comes into play here; you should probably add some clarification on generating this value and how to check it. An example would be good.) -Daniel -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
