Hi Hans, Am 11.11.19 um 10:57 schrieb Hans Zandbelt: > > P17 > About the description of the mixup attack: as long as the attacker is > able to trigger a request (by having the user click a link) and read > the query/POST parameters on the A-AS (perhaps from the logs) he can > execute a mixup attack by starting from the A-AS rather than the H-AS > (as demonstrated in the OAuth 2.0 security workshop in Darmstadt > December 2016). Perhaps this can be made more explicit.
I'm not sure if I understand your comment correctly. By definition, the attacker can always read the parameters from A-AS. The rest of the attack is what is currently described as "Mix-Up Without Interception", isn't it? -Daniel > > -- > hans.zandb...@zmartzone.eu <mailto:hans.zandb...@zmartzone.eu> > ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
