Choosing an SSO Strategy: SAML vs OAuth2. This post reflects on exploring and implementing both SAML and OAuth2 for Single Sign On in a heterogeneous app environment.
Chances are you've logged into an application (mobile app or web app) by clicking on a 'Log in with Facebook' button. If you use Spotify, Rdio, or Pinterest, then you know what I'm talking about. As a user, you likely don't care about how SSO works. You just want to use an application and can be thankful for a smoother experience and that you have to remember fewer logins and passwords. In order to provide a user with a single sign on experience a developer needs to implement a SSO solution. Our Need for SSO We're working on a platform which will have several client applications. This platform will roll out being accessible to a few different clients (owned by different organizations). The platform is a front end to a large enterprise system that already has identity information about the people who would be interacting with it.
Enter SAML 2.0 Enter OAuth 2.0 Summary. OWASP Top 10 for JavaScript – A7: Insecure Cryptographic Storage – BEKK Open. This post describes how OWASP Top 10 - A7: Insecure Cryptographic Storage affects javascript applications.
This is a wide category which covers a lot more than this blog post. I'll try to focus on the aspects that often occur in applications that rely heavily on JavaScript. This is the risk rating from OWASP: Attackers typically don’t break the crypto. They break something else, such as find keys, get cleartext copies of data, or access data via channels that automatically decrypt. Private data needs to be protected, be it private messages, documents or passwords. Unencrypted storageMisplaced dataWeakly encrypted or hashed storage - short encryption keys, old outdated hashing algorithms, hashless salting etc.
On the server side it's important that passwords are stored poperly hashed (PBKDF2, bcrypt, scrypt and friends) and data like credit card numbers etc. needs to be encrypted in proper ways. There are several ways this can happen. This i normally a server side problem. Javascript Injection. JavaScript Injection Overview JavaScript is a widely used technology within websites and web based applications.
JavaScript can be used for all sorts of useful things and functions. But along with this comes some additional security issues that need to be thought of and tested for. JavaScript can be used not only for good purposes, but also for malicious purposes. Using JavaScript an individual can modify and change existing information within a form. To execute any javascript within a current session, a user would enter the specific javascript commands within the browser's url bar minus the All javascript commands must start with the javascript: tag followed by any javascript command that will be executed. JavaScript cookie modification Using JavaScript a user can modify the current cookie settings. Javascript:alert(document.cookie); This command will popup a box which lists your current cookies. Javascript:void(document.cookie="authorization=true"); JavaScript HTML Form modification.
Cross-site scripting. Background[edit] Security on the web is based on a variety of mechanisms, including an underlying concept of trust known as the same origin policy.
This essentially states that if content from one site (such as is granted permission to access resources on the system, then any content from that site will share these permissions, while content from another site ( will have to be granted permissions separately. [citation needed] Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, they fold malicious content into the content being delivered from the compromised site. XSS vulnerabilities have been reported and exploited since the 1990s. Types[edit] There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: non-persistent and persistent. Non-persistent[edit] Persistent[edit] Exploit examples[edit]