OAuth 2.0 and the Road to XSS: attacking Facebook Platform - security-dev - Jboss List Archives

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

OAuth 2.0 and the Road to XSS: attacking Facebook Platform

XACML 3.0

Some thoughts on PL Subsystem

Bruno Oliveira

Friday, 12 April 2013 Fri, 12 Apr '13

3:28 p.m.

Interesting presentation: http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Andrey... -- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile

Reply

Show replies by date

Bill Burke

Friday, 12 April Fri, 12 Apr

4:38 p.m.

Before I read this, I think the XSS attacks are centered around the public OAuth protocols, one-way SSL + confidential clients pretty much protect against these issues, IIRC. On 4/12/2013 4:28 PM, Bruno Oliveira wrote:

Interesting presentation: http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Andrey...

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Bill Burke

4:43 p.m.

Yup, pretty much the implicit model and Facebook's poor implementation. Its funny how people are proclaiming how vulnerable the OAuth implicit model is, when the spec already pretty much spells out how vulnerable it is. On 4/12/2013 5:38 PM, Bill Burke wrote:

Before I read this, I think the XSS attacks are centered around the public OAuth protocols, one-way SSL + confidential clients pretty much protect against these issues, IIRC. On 4/12/2013 4:28 PM, Bruno Oliveira wrote: > Interesting presentation: http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Andrey... > >

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

Anil Saldhana

6:29 p.m.

Also FB Oauth implementation is based on an early draft of the oauth2 spec. The spec went through changes before final On Apr 12, 2013, at 4:43 PM, Bill Burke <bburke(a)redhat.com> wrote:

Yup, pretty much the implicit model and Facebook's poor implementation. Its funny how people are proclaiming how vulnerable the OAuth implicit model is, when the spec already pretty much spells out how vulnerable it is. On 4/12/2013 5:38 PM, Bill Burke wrote: > Before I read this, I think the XSS attacks are centered around the > public OAuth protocols, one-way SSL + confidential clients pretty much > protect against these issues, IIRC. > > On 4/12/2013 4:28 PM, Bruno Oliveira wrote: >> Interesting presentation: http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Andrey... -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

Reply

4740

days inactive

4740

days old

security-dev@lists.jboss.org

Manage subscription

3 comments

3 participants

tags (0)

participants (3)

Anil Saldhana
Bill Burke
Bruno Oliveira