Flawlessly implementing authorization with OAuth is challenging and can be error-prone from a security perspective. However, the OAuth framework consists of several rather complex standards and provides various configurations. OAuth 2.0 is the de-facto standard for delegated authorization and supported by almost any cloud storage and API provider, including Google, Microsoft, Dropbox, and Amazon Web Services. In the following, we will describe the OAuth weaknesses in detail. The identified weaknesses were mostly based on the incorrect use of the OAuth authorization framework and insufficient protection against Cross-Site Scripting (XSS). During the test, we identified a total of 6 weaknesses – three classified as High and three classified as Medium. We conducted the 10 man-days penetration test between the 16th March and 3rd April 2020. Second, it is a web application written in JavaScript and accesses cloud storage providers using OAuth. First, its security is crucial, given the fact it processes the user’s password databases.
We selected KeeWeb because it was an excellent fit for our pro bono program. It allows users to open and sync their password databases stored locally or in a cloud storage.
KeeWeb is both available as a web application and cross-platform native application. The pro bono program offers applicants the chance to be selected for a free high-quality penetration test with a total expense of 10 man-days.Īs the first candidate, we selected KeeWeb, which is a KeePass compatible password manager. For this reason, we created our pro bono program last September. By supporting non-commercial organizations and open-source applications, we want to increase their security.
0 kommentar(er)
