In this post I want to share with you an amazing tool called Man in the middle proxy. As you can imagine, this tool is an HTTP/HTTPS proxy that allow you to perform debug not only on HTTP communications but also on HTTPS/SSL calls. Here you can see it in action! I did the tests […]
As you probably know, Google is migrating to Open Id Connect under the name of Google+ Sign-In, migration that I celebrate. As part of this process, they are deprecating a couple of endpoints and methods to authenticate. As any serious cloud service, they have announced this migration long time ago, publishing an schedule that clearly […]
After the Heartbleed Bug a new critical vulnerably was found today on OpenSSL: CCS Injection. This new vulnerability is based on the fact that OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake (The ChangeCipherSpec message is used to change the encryption being used by the client and the server) By exploiting this vulnerability an attacker could […]
Yesterday a vulnerability was published under the name of Covert Redirect as a new security flaw in OAuth 2.0 / OpenId. In the article says: Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation. This is often the of result of a website’s overconfidence […]
One of the concerns about OAuth 2.0 is that it uses bearer tokens, that are a kind of tokens that are not tied to any context at all. That means that any party in possession of a token can get access to the associated resources, without any other demonstration. This month, the IETF team has […]
