Code phishing attack on OAuth 2.0 [RFC6749]

Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token endpoint to obtain tokens thereby accessing the protected resources illegitimately. Assumptions There are not much assumptions needed for this attack. The client and the server uses OAuth 2.0 [RFC6749]. The […]

IdP Mix-up Attack on OAuth [RFC6749]

On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the readers of the attack, I am translating the portion of his blog post explaining the attack with his permission, then expand on it. Assumptions The attacker can proxy the non-TLS-protected […]