Stage 2

OAuth linking

Change Email:

• No CSRF protection

• Omit CSRF token

• Token only for PUT but not for GET

• Referer-baded CSRF Validation

  • Referer can be omitted?

  • Referer must contain certain string?

• csrf verification token stored in cookie, which can be manipulated?

• csrf token bound to non-session cookie, which can be manipulated?

• Is Logged in Cookie

  • /refreshpassword -> set username=administrator

SameSite Lax Bypass

Password reset

• username can be modifed

• tokens are time based -> send requests in parallel from different sessions

Change password

• curent-password can be omitted -> you can change password of arbitrary users

  
  

weak secret

/dev/null in jwt kid header

arbitratry jku header

inline jwk