Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Web Security Academy (OAuth)

Kaung | Last updated: Sep 03, 2021 05:10AM UTC

Hi, in the Web Security Academy OAuth topic, "Leaking authorization codes and access tokens" section. It notes that using "state or nonce protection" does not necessarily prevent these attacks because an attacker can generate new values from their own browser. Doesn't a state parameter prevent an attacker from making a cross site authorization request? The state will be tied to the user's session right?; The stored state value, and requested state (attacker's own generated state) value will not be the same, hence rendering the attack a failure. I would much appreciate the clarification on this. Thanks!

Uthman, PortSwigger Agent | Last updated: Sep 03, 2021 08:29AM UTC

Hi Kaung, Our technical support service does not provide 1-1 training for academy queries, unfortunately. Your post will remain on the forum so that a member of the community with more knowledge can answer your question. You may find this article helpful: - https://medium.com/@benjamin.botto/oauth-replay-attack-mitigation-18655a62fe53 Let us know if you have any issues with our products (or spot any bugs in the labs) - you can reach us at support@portswigger.net

Kaung | Last updated: Sep 03, 2021 09:39AM UTC

Thank you for the reply, and the article

Kaung | Last updated: Sep 03, 2021 09:39AM UTC

Thank you for the reply, and the article

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.