Ståle Pettersen
@kozmic.bsky.social
Application Security and Cloud Security
👊I really like research and write-ups like these, keep'em coming :)
January 22, 2025 at 7:05 PM
👊I really like research and write-ups like these, keep'em coming :)
In most scenarios though, the impact is minimal... But edge cases, like Okta's case, it can have servere impact. It should be opt-in for an API to behave like that in my opinion:)
2/2
2/2
January 22, 2025 at 6:03 PM
In most scenarios though, the impact is minimal... But edge cases, like Okta's case, it can have servere impact. It should be opt-in for an API to behave like that in my opinion:)
2/2
2/2
Great research and write-up! I 100% agree with you, it's a bad API design to fail silently. I know that PHP also fails silently. I've identified this issue in PHP solutions in the past :)
1/2
1/2
January 22, 2025 at 6:03 PM
Great research and write-up! I 100% agree with you, it's a bad API design to fail silently. I know that PHP also fails silently. I've identified this issue in PHP solutions in the past :)
1/2
1/2
Maybe... But I've seen this statement many times. Sadly a lot of "security ppl" are confused regarding cookies vs localStorage.
January 7, 2025 at 9:23 PM
Maybe... But I've seen this statement many times. Sadly a lot of "security ppl" are confused regarding cookies vs localStorage.
I disagree with "7. Token Handling Negligence". Storing JWT in localStorage is not an anti-pattern and is often a good pattern
January 7, 2025 at 6:04 PM
I disagree with "7. Token Handling Negligence". Storing JWT in localStorage is not an anti-pattern and is often a good pattern