[security-dev] OAuth 2.0 and the Road to XSS: attacking Facebook Platform

Anil Saldhana asaldhan at redhat.com
Fri Apr 12 19:29:48 EDT 2013


Also FB Oauth implementation is based on an early draft of the oauth2 spec.

The spec went through changes before final 

On Apr 12, 2013, at 4:43 PM, Bill Burke <bburke at redhat.com> wrote:

> Yup, pretty much the implicit model and Facebook's poor implementation. 
>  Its funny how people are proclaiming how vulnerable the OAuth implicit 
> model is, when the spec already pretty much spells out how vulnerable it is.
> 
> On 4/12/2013 5:38 PM, Bill Burke wrote:
>> Before I read this, I think the XSS attacks are centered around the
>> public OAuth protocols, one-way SSL + confidential clients pretty much
>> protect against these issues, IIRC.
>> 
>> On 4/12/2013 4:28 PM, Bruno Oliveira wrote:
>>> Interesting presentation: http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Andrey%20Labunets%20and%20Egor%20Homakov%20-%20OAuth%202.0%20and%20the%20Road%20to%20XSS.pdf
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list