Request for comment - oauth related CWEs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Request for comment - oauth related CWEs

Kurt Seifried
so It seems like we're going to need some Oauth CWE's, some initial thoughts:

-system providing Oauth doesn't filter special names resulting in shenanigans 

-system providing Oauth doesn't provide any context around what is actually requesting access (e.g. no URL, seriously, all these Oauth things I've given access to and just some random name and maybe an icon, I have no idea what some of them are)

Also it seems like homophone attacks could be a thing (especially combined with XSS on the legitimate site). 

--
Kurt Seifried
[hidden email]
To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].