WS-Trust Proof-of-Possession (PoP) tokens with client and server entropy (with partial keys) – Part 1

January 15th, 2015

As a security feature WS-Trust supports Proof-of-Possession Tokens. In this post I want to show you how you can consume a service that requires PoP token security with client and server entropy (going deep in a min). This method has been tested with Microsoft Dynamics CRM and ADFS. This is a very long topic, so […]

Security Stack for Modern Apps talk at UTN: The video (Spanish)

January 5th, 2015

Last December 19 I was invited by the Argentine National Technological University (UTN) in Buenos Aires to speak about security architectures in modern apps. On my talk I covered Token-based Authentication scenarios for Single Page and Mobile Apps, access delegation with OAuth 2.0 and Identity Federation with OpenId Connect. It was really fun and such […]

Google’s XSS Problem: It happens in the best of families

December 28th, 2014

A couple of days ago, this guy found an unbelievable XSS vulnerability on Google’s result page. Basically when you add your site to Google index you can add some links that are shown as breadcrumbs in the result page and the user can click. In this post he shows how Google was not validating the […]

Speaking at UTN: Security Stack for Modern Applications

December 1st, 2014

Next December 19 I will be closing the year speaking about Security Architectures for modern applications at Argentine National Technological University in Buenos Aires. The National Technological University (Spanish: Universidad Tecnológica Nacional, UTN) is a country-wide national university in Argentina, and it’s considered among the top engineering schools in the country, so It is a […]

PSHA1 Algorithm for WS-Trust Server and Client Entropy Scenarios on Node.js

July 23rd, 2014

I’ve just published a new Node.js module that implements the P_SHA1 algorithm as specified in TLS spec, that is used on WS-Trust spec in scenarios where the service you want to call requires client and server entropy. It has been tested with Microsoft CRM Dynamics and ADFS. You can find the library here https://github.com/leandrob/node-psha1 A […]