Top 5 OAuth 2 Implementation Vulnerabilities

Heya, back to my favourite topics namely OAuth . I have previously discussed about common OAuth 2 Implementation Vulnerabilities but now it is time maybe to list those and order them based on their criticality. 5 The Postman Always Rings Twice I have introduced this 'attack' in last year post...

CVE-2014-8144

Cross-site request forgery CSRF vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors...

CVE-2014-8144

Cross-site request forgery CSRF vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors...

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier.

Cross-site request forgery CSRF vulnerability in doorkeeper 1.4.0 and earlier allows remote attackers to hijack the user's OAuth autorization code. This vulnerability has been assigned the CVE identifier CVE-2014-8144. Doorkeeper's endpoints didn't have CSRF protection. Any HTML document on the...

OAuth authentication memory vulnerability caution a user identity hijacking-vulnerability warning-the black bar safety net

With OpenSSL, like OAuthOpen Authorizationas a widely used open-source third-party login authentication Protocol, this year also broke a security vulnerability. In the third session of the know the security Forum, from Sina Weibo of the blue di snowball shows Sina as early as year 3 months...

WePay: oauth redirect uri validation bug leads to open redirect and account compromise

according to: https://stage.wepay.com/developer/reference/oauth2 "redirecturi - The uri the user will be redirected to after authorization. Must have the same domain as the application." your current validation of this domain value is not sufficient. i setup my app with a website url of...

Oracle 9i XDB HTTP PASS Overflow (win32)

No description provided by source. $Id: oracle9ixdbpass.rb 10394 2010-09-20 08:06:27Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of...

PT-2014-4538 · Cisco · Cisco Asa

Name of the Vulnerable Software and Affected Versions: Cisco Adaptive Security Appliance ASA Software affected versions not specified Description: The issue allows remote authenticated users to read files by sending a crafted URL to the HTTP server, potentially accessing sensitive information suc...

Every day buy UC_KEY not initialize the security risks and patch-vulnerability warning-the black bar safety net

Every day buy integrated ucenter one-stop login api,but UCkey not initialized will cause the attacker can log in to any account,or even operate the credit card information. Detailed description: $get = $post = array; $code = @$GET'code'; //get the token parsestrauthcode$code, 'DECODE', UCKEY, $ge...

Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)

$Id: oracle9ixdbpass.rb 10394 2010-09-20 08:06:27Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...

Oracle 9i XDB HTTP PASS Overflow (win32)

$Id$ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/ require 'msf/core' class Metasploit3 'Oracle 9i XD...

Oracle 9i XDB HTTP PASS Overflow (win32)

This module exploits a stack buffer overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database XDB, during a seminar on "Variations in exploit methods between Linux and Windows" presented at the...

Oracle 9.2.0.1 Universal XDB HTTP Pass Overflow Exploit

Exploit for unknown platform in category remote exploits ======================================================= Oracle 9.2.0.1 Universal XDB HTTP Pass Overflow Exploit ======================================================= This file is part of the Metasploit Framework and may be redistributed...

Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow (Metasploit)

Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow Metasploit This file is part of the Metasploit Framework and may be redistributed according to the licenses defined in the Authors field below. In the case of an unknown or missing license, this file defaults to the same license as the core...

Remote PC Access Server 2.2 Vulnerability

Dear Bugtraq Here is a full details information about the vulnerability of Remote PC Access Server 2.2, taken from our advisory includes the exploit code: http://www.ytech.co.il/advisories/rpca/rpcaccess.htm Best Regards, Yaron Tal YTECH.CO.IL -----------------------------------------------------...