News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHPClasses.org:
Is Your OAuth 2.0 Application Secure?
May 26, 2014 @ 11:29:39

The PHPClasses.org blog has a new post highlighting a vulnerability in the OAuth 2.0 specification that's been talked about quite a bit lately, the Covert Redirect Vulnerability. This issue allows potential attackers to trick users into redirecting to malicious sites and possibly gain access to personal information.

This vulnerability affects applications that implement protocols like OAuth 2.0 and OpenID. Lets see how this affects an OAuth 2.0 application. [...] The way it works is that your application redirects to a specific page of the Facebook site. There the user is asked if he wants to give your application permission to access Facebook API on his behalf. After the user agrees, his browser is redirected back to your site to a URL that your application specified called redirect_uri. From then on your site completes the process to get a special access token string that will be used by your site to access Facebook API on behalf of the user.

This token represents the user and can then be used to access the user's account. If that token fell into the wrong hands, they could access data they shouldn't. He includes a diagram of the flow and a link to a video explaining the problem in a bit more depth. He recommends three ways to help prevent this issue and what to look for in your implementation that could leave you vulnerable.

0 comments voice your opinion now!
oauth2 security redirect uri malicious attack

Link: http://www.phpclasses.org/blog/package/7700/post/4-Is-Your-OAuth-20-Application-Secure.html

blog comments powered by Disqus

Similar Posts

Secunia.com: Debian Updates for PHP4 and PHP5 Users

PHPClasses.org: PHP security exploit with GIF images

DevShed: Hackers Compromise PHP Sites to Launch Attacks

Chris Shiflett\'s Blog: PHP Security Architecture

PHPMaster.com: 5 More PHP Security Vulnerabilities


Community Events





Don't see your event here?
Let us know!


podcast api composer list symfony conference series community configure framework unittest opinion voicesoftheelephpant release threedevsandamaybe introduction interview version language laravel

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework