Answer by Alice Heaton for OAuth2 Cross Site Request Forgery, and state...
In addition to @wayne's answer, here is a different possible attack (that could have been prevented with CSRF):Attacker gets an OAuth authorization code for their own account ;Attacker tricks user into...
View ArticleAnswer by Aydin K. for OAuth2 Cross Site Request Forgery, and state parameter
Taken from The Importance of the state parameter in OAuth2:This is where the "state" object in OAuth 2 comes into play. By alwayssubmitting a non-guessable state when POSTing to the...
View ArticleAnswer by Wayne for OAuth2 Cross Site Request Forgery, and state parameter
Let's walk through how this attack works.The AttackI visit some client's website and start the process of authorizing that client to access some service provider using OAuthThe client asks the service...
View ArticleAnswer by rook for OAuth2 Cross Site Request Forgery, and state parameter
I will simplify this problem. Cross-Site Request Forgery and Clikjacking attacks are useful because it can force a victim's browser into performing actions against their will.The mention of 10.12....
View ArticleOAuth2 Cross Site Request Forgery, and state parameter
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-30#section-10.12 says:The client MUST implement CSRF protection [...] typically accomplished by requiring any request sent to the redirection...
View Article
