Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In a previous blog post, they discussed a vulnerability in an authentication flow that was broken through bad frame communication. One of the issues that made this possible is discussed in depth in this blog post.

OAuth Proof Key for Code Exchange (PKCE) is an authorization flow used to prevent code interception and injection attacks. This is done via the calling application, creating a secret that is then verified by the authorization server. The code was generated on the client side as a SHA-256 hash and then sent to the server for later use.

The authorization code returned by the SSO is bound to whatever codeChallenge was in the URL when the SSO page loaded. The parent page generates the PKCE and includes the challenge as part of the SSO URL. This is a problem though: the challenge must be generated and unique to the request! If an attacker can set it, then it bypasses the entire purpose of PKCE.

A good quote from the author: "PKCE protects the code in transit. It does NOT protect against an attacker who controls the authorization request itself." Understanding what a security does and doesn't protect against is crucial. Great spot to finish off the chain!