| ▲ | asimops a day ago | |
In the case of Attack scenario 2, I do not get why in a secure design you would ever forward the client originating data to the auth service. This is more of a broken best practise then a footgun to me. The logic should be "Parse, don't validate"[0] and after that you work on those parsed data. [0]: https://hn.algolia.com/?q=https%3A%2F%2Flexi-lambda.github.i... | ||
| ▲ | securesaml a day ago | parent [-] | |
See: https://bsky.app/profile/filippo.abyssdomain.expert/post/3le... that was about a signature wrapping attack in crypto, but it also applies here. | ||