I was thinking the attacker makes up their *own* `code_... • Aaron Parecki

51°F

Brandon Trebitowski https://brandontreb.com • Mar 3
True, but it would be tricky.

Wouldn’t the attacker have find a way to extract the code_verifier from local storage and pass it along with the hijacked redirect?

They would have to somehow have the ability to write custom js code on the path they are redirecting to. I guess this is possible on sites that don’t sanitize user inputs.

I was thinking the attacker makes up their *own* `code_verifier` and injects that into the first open redirect

Portland, Oregon • 42°F

Thu, Mar 2, 2023 4:16pm -08:00

1 reply
Have you written a response to this? Let me know the URL:
- Brandon Trebitowski brandontreb.com
  
  You just blew my mind. So that basically defeats PKCE?
  
  Thu, Mar 2, 2023 4:25pm -08:00

Posted in /replies using monocle.p3k.io