OAuth security considerations from RFC continued.
1) resource owner password credentials - this is probably the one that grants maximum access to the client. However client and authorization server should limit the scope. This method in general is different from the pattern that this RFC proposes and is used for backward compatibility. The vulnerability here is that the resource owner does not have control over how the credentials are used.
2) tokens, codes, passwords, and secrets should not be transmitted in the clear. Http headers, URI appear as clear text. State and scope could appear in the clear so they should not ave any sensitive information.
3) ensure endpoint authenticity by requesting TLS with server authentication. TLS certificates must be validated
4) tokens, passwords etc should not be guessable. Their probability should be fewer than one in 2^128
5) due to the use of redirects there could be phishing attacks possible. Websites that ask for credentials should be authenticated.
6) Cross site request forgery should be prevented such as when a user-agent is made to follow a malicious URI to a trusting server. In such security attacks, the attacker injects his own authorization code. CSRF protection is achieved by including a value in the URI that hints at the authenticated state.
1) resource owner password credentials - this is probably the one that grants maximum access to the client. However client and authorization server should limit the scope. This method in general is different from the pattern that this RFC proposes and is used for backward compatibility. The vulnerability here is that the resource owner does not have control over how the credentials are used.
2) tokens, codes, passwords, and secrets should not be transmitted in the clear. Http headers, URI appear as clear text. State and scope could appear in the clear so they should not ave any sensitive information.
3) ensure endpoint authenticity by requesting TLS with server authentication. TLS certificates must be validated
4) tokens, passwords etc should not be guessable. Their probability should be fewer than one in 2^128
5) due to the use of redirects there could be phishing attacks possible. Websites that ask for credentials should be authenticated.
6) Cross site request forgery should be prevented such as when a user-agent is made to follow a malicious URI to a trusting server. In such security attacks, the attacker injects his own authorization code. CSRF protection is achieved by including a value in the URI that hints at the authenticated state.
No comments:
Post a Comment