Re: [OAUTH-WG] Multi-AS State Re-Use

Jim Manico Wed, 11 May 2016 15:04:07 -0700

Well hey now.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
is one of the more popular resources on CSRF at OWASP.


https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) is
also pretty popular and points to a wide variety of resources on the topic.

If anyone sees any flaws in these or otherwise would like to help make
these better, please drop me a line. I serve on the OWASP board.

Aloha, Jim Manico



On 5/11/16 11:59 AM, Nat Sakimura wrote:
> Agreed. Also, pointing to OWASP guide or something for CSRF token may
> be useful.
> On Tue, May 10, 2016 at 11:37 Daniel Fett <f...@uni-trier.de
> <mailto:f...@uni-trier.de>> wrote:
>
>     Regardless of what state actually is, the documentation (also the one
>     for OIDC) should make clear that the same state should not be sent to
>     two different AS, and that a state issued for AS #1 should be invalid
>     for AS #2.
>
>     Am 10.05.2016 um 09:31 schrieb Anthony Nadalin:
>     > STATE can be anything, it does not have to be a NONCE so
>     changing this
>     > would cause issues at this time for existing deployments
>     >
>     >
>     >
>     > *From:*OAuth [mailto:oauth-boun...@ietf.org
>     <mailto:oauth-boun...@ietf.org>] *On Behalf Of *Nat Sakimura
>     > *Sent:* Monday, May 9, 2016 7:34 PM
>     > *To:* Guido Schmitz <g.schm...@gtrs.de
>     <mailto:g.schm...@gtrs.de>>; oauth@ietf.org <mailto:oauth@ietf.org>
>     > *Subject:* Re: [OAUTH-WG] Multi-AS State Re-Use
>     >
>     >
>     >
>     > As far as I am aware of, state was meant to be nonce. Replay
>     possibility
>     > etc. were known. It is probably a bad documentation that every
>     reviewers
>     > missed because they were assuming it.
>
>
>     --
>     Informationssicherheit und Kryptografie
>     Universität Trier - Tel. 0651 201 2847 - H436
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
> Nat Sakimura
> Chairman of the Board, OpenID Foundation
> Trustee, Kantara Initiative
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Multi-AS State Re-Use

Reply via email to