HTTP/HTTPS debugging on Mobile Apps with Man In The Middle

June 24th, 2014

In this post I want to share with you an amazing tool called Man in the middle proxy. As you can imagine, this tool is an HTTP/HTTPS proxy that allow you to perform debug not only on HTTP communications but also on HTTPS/SSL calls. Here you can see it in action! I did the tests […]

Windows Azure ACS Google Authentication Broken or “The difference between a serious cloud service and Windows Azure ACS”

June 13th, 2014

As you probably know, Google is migrating to Open Id Connect under the name of Google+ Sign-In, migration that I celebrate. As part of this process, they are deprecating a couple of endpoints and methods to authenticate. As any serious cloud service, they have announced this migration long time ago, publishing an schedule that clearly […]

CCS Injection: New vulnerability found on OpenSSL

June 6th, 2014

After the Heartbleed Bug a new critical vulnerably was found today on OpenSSL: CCS Injection. This new vulnerability is based on the fact that OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake (The ChangeCipherSpec message is used to change the encryption being used by the client and the server) By exploiting this vulnerability an attacker could […]

Covert Redirect: Facebook and ESPN Security, oh my god…

May 3rd, 2014

Yesterday a vulnerability was published under the name of Covert Redirect as a new security flaw in OAuth 2.0 / OpenId. In the article says: Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation. This is often the of result of a website’s overconfidence […]

OAuth Proof of Possession draft are here!

April 28th, 2014

One of the concerns about OAuth 2.0 is that it uses bearer tokens, that are a kind of tokens that are not tied to any context at all. That means that any party in possession of a token can get access to the associated resources, without any other demonstration. This month, the IETF team has […]