AppSec Blog: Category - Authentication

ASP.NET MVC: Using Identity for Authentication and Authorization

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will take a look at the authentication and authorization security features built into the ASP.NET MVC framework. Implementing authentication and authorization mechanisms into a web application with a powerful ASP.NET Identity system has become a … Continue reading ASP.NET MVC: Using Identity for Authentication and Authorization


LinkedIn OAuth Open Redirect Disclosure

During a recent mobile security engagement, I discovered an Insecure Redirect vulnerability in the LinkedIn OAuth 1.0 implementation that could allow an attacker to conduct phishing attacks against LinkedIn members. This vulnerability could be used to compromise LinkedIn user accounts, and gather sensitive information from those accounts (e.g. personal information and credit card numbers). The … Continue reading LinkedIn OAuth Open Redirect Disclosure


HTML5: Risky Business or Hidden Security Tool Chest?

I was lucky to be allowed to present about how to use HTML5 to improve security at the recent OWASP APPSEC USA Conference in New York City. OWASP now made a video of the talk available on YouTube for anybody interested. http://www.youtube.com/watch?v=fzjpUqMwnoI Continue reading HTML5: Risky Business or Hidden Security Tool Chest?


Ask the Expert - Johannes Ullrich

Johannes Ullrich is the Chief Research Officer for the SANS Institute, where he is responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics … Continue reading Ask the Expert - Johannes Ullrich


Password Tracking in Malicious iOS Apps

In this article, John Bielich and Khash Kiani introduce OAuth, and demonstrate one type of approach in which a malicious native client application can compromise sensitive end-user data. Earlier this year, Khash posted a paper entitled: "Four Attacks on OAuth - How to Secure Your OAuth Implementation" that introduced a common protocol flow, with specific … Continue reading Password Tracking in Malicious iOS Apps