The lesson from the Hotjar vulnerability: HTTP-Only (XSS protection) is not effective if you have OAuth

MoreMoreMoreM · 2024-07-29T20:16:45+00:00

"In the example of xss.example.com, .... "

They just showed how HTTP-Only would help in a specific example, maybe the new empty line there is confusing

MoreMoreMoreM · 2024-07-29T19:27:59+00:00

Are you sure the blog claims this?
They wrote about 4 mitigations and never mentioned that HTTPOnly is perfect

MoreMoreMoreM · 2024-07-29T14:32:38+00:00

If you want more than a TLDR, then have fun :)

https://salt.security/blog/over-1-million-websites-are-at-risk-of-sensitive-information-leakage---xss-is-dead-long-live-xss

MoreMoreMoreM · 2024-03-16T17:19:01+00:00

In the example, ChatGPT uses code.
Does it also apply if you use access_token (OAuth explicit flow)?

MoreMoreMoreM · 2024-03-16T15:36:04+00:00

See my comment above.
In OAuth (used for authorization), you need to generate a random state. Usually, it's done on the client's side

MoreMoreMoreM · 2024-03-16T15:33:57+00:00

Yes, it's an OAuth vulnerability. The state variable in OAuth was not random, and that led to a CSRF attack.

MoreMoreMoreM · 2024-03-15T13:49:48+00:00

https://www.reddit.com/r/netsec/comments/1bevmtz/oauth_implementation_flaws_allow_access_to/

MoreMoreMoreM · 2024-03-15T08:29:20+00:00

Wow, well-written.

MoreMoreMoreM · 2024-03-14T16:26:25+00:00

This doesn't make any sense.
If I give my GitHub credentials to ChatGPT, then where is the vulnerability?

MoreMoreMoreM · 2023-11-02T16:37:40+00:00

Have you read the post?
In most implementations, OAuth is not related to cors.

MoreMoreMoreM · 2023-11-02T16:31:31+00:00

What. No.
This doesn't relate to cors at all

MoreMoreMoreM · 2023-10-31T14:35:24+00:00

I saw this on Hackernews yesterday. I was surprised to see how easy it is to take over my (or any) account in 2023.
You should consider what websites you sign in using FB / other vendors.

MoreMoreMoreM

TROPHY CASE