Reflected XSS vulnerability on Coinbase |
I had a lot of fun in the few hours I spent looking at Coinbase while procrastinating from exam study. They have done a lot of things right in regards to CSP, HttpOnly session cookies and two-step authentication but are let down with the integration of third party components such as Doorkeeper and ZeroClipboard. It is difficult to get any reasonably complex site completely secure and even sites doing more than $15 million USD per month in Bitcoin transaction volume can have a number of critical issues which a blackbox attacker could discover. I would recommend for all web developers to check out the guides on the OWASP website which cover all the key areas where security problems can occur in web apps.
The article will cover following vulnerabilities:
- Reflected XSS
- Persistent XSS on Merchant Checkout Pages
- Insecure OAuth Application Approval
- Insecure OAuth Redirect URI in the Coinbase Mobile App
Full article | Donncha O'Cearbhaill
No comments:
Post a Comment