Hacker News new | ask | show | jobs
by thdhhghgbhy 316 days ago
>But session hijacking is a known problem.

You're effectively talking about an attacker breaking https aren't you? Unless you can detail another way to get at a user's token. I'm curious to hear about it.
1 comments
motorest 316 days ago
> You're effectively talking about an attacker breaking https aren't you?

No. There are many ways to fish bearer tokens. Encryption in transit only addresses some of them.

link
thdhhghgbhy 316 days ago
I'm all ears, please provide one potential way.
link
motorest 316 days ago
> I'm all ears, please provide one potential way.

Just Google for session hijacking attacks. There's a wealth of information on the topic. It's a regular entry in OWASP top 10.

link
thdhhghgbhy 316 days ago
I did, and xss and session sniffing listed on the OWASP web page, would be prevented by following OAuth flows. So that just leaves mitm, which as I said, is effectively breaking https.
link
motorest 316 days ago
> I did, and xss and session sniffing listed on the OWASP web page, would be prevented by following OAuth flows.

OWASP's page lists 3 more examples which it seems you omitted for some reason.

link