Everything that the user's browser touches has to be ... • Aaron Parecki

44°F

Boomrang https://twitter.com/boomrang99 • Jul 29
Thanks for the response. I am trying to understand the specifics of the risk involved here. The site itself is HTTPS however the load balancer/proxy infra sometimes redirect to HTTP for the callback URL

Everything that the user's browser touches has to be HTTPS.

This document talks about the details of several related attacks if you're interested https://tools.ietf.org/html/draft-ietf-oauth-security-topics

Portland, Oregon

Mon, Jul 29, 2019 8:41am -07:00

1 like 2 replies
- Nate Barbettini
Have you written a response to this? Let me know the URL:
- Boomrang twitter.com/boomrang99
  
  and how this is possible??????
  
  Fri, Dec 13, 2019 2:31am +00:00 (via brid-gy.appspot.com)
- Boomrang twitter.com/boomrang99
  
  I think my question is not answered. I understand that the sites must be HTTPS. However my questy is specific to sending authorization code in HTTP channel. It is actually a URL parameter!! And not a POST request
  
  Sat, Aug 3, 2019 4:35am +00:00 (via brid-gy.appspot.com)

Posted in /replies using monocle.p3k.io