You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The app is entirely stateless and doesn't check the state or nonce parameters to double check that a received login request actually originated with this sample app.
As a result, an attacker who can convince a user to follow a link will be able to cause them to log in to the sample app even without directly visiting it first.
This has low impact even for production service providers, but it would still be good to set a better example here.
This is referenced in mastiffwasp-7
The text was updated successfully, but these errors were encountered:
The app is entirely stateless and doesn't check the state or nonce parameters to double check that a received login request actually originated with this sample app.
As a result, an attacker who can convince a user to follow a link will be able to cause them to log in to the sample app even without directly visiting it first.
This has low impact even for production service providers, but it would still be good to set a better example here.
This is referenced in mastiffwasp-7
The text was updated successfully, but these errors were encountered: