Issue 77: Vulnerabilities in GitLab, OAuth 2.1 draft is out

This week, GitLab has fixed several vulnerabilities, including API vulnerabilities, and the draft for OAuth 2.1 has been released.

If you find yourself stuck at home with extra time in your hands, why not check out the free course on web security that Stanford University is offering?

Vulnerability: GitLab

GitLab has released a new security release that fixes โ€” among other thingsย โ€” a couple API vulnerabilities:

  • Insufficient access verification in the API allowed external users to create personal snippets.
  • The GraphQL API leaked namespaces of private projects through GitLab issues that were opened in a public project and then moved to the private one.

The details on both are bit skimpy, but hopefully more details will be available when CVEs are assigned.

Standards: OAuth 2.1

The draft for OAuth 2.1 Authorization Framework has been published. It is not radically different from OAuth 2.0, but rather incorporates the latest security best practices. (Aaron had a great blog post explaining the rationale behind the update.)

The main changes to highlight are:

  • Proof Key for Code Exchange (PKCE) is now required for authorization code grant.
  • Exact matching is required for redirect URIs.
  • Refresh tokens are now sender-constrained or one-time use only.
  • Implicit grant and Resource Owner Password Credentials grant have been removed.
  • Bearer tokens in query parameters are no longer allowed.

Education: Stanford CS 253 Web Security

Stanford University has released their course on Web Security from last fall accessible for free. The course resources include everything from videos and course slides to reading material and course assignments.

The covered topics include:

  • Principles of web security
  • Attacks and countermeasures
  • Browser security model
  • Web app vulnerabilities
  • Injections
  • Denial-of-service (DoS)
  • TLS attacks
  • Privacy
  • Fingerprinting
  • Same-origin policy
  • Cross-site scripting (XSS)
  • Authentication
  • JavaScript security
  • Emerging threats
  • Defense-in-depth
  • Techniques for writing secure code

For hands-on exercises, the course offers projects on writing security exploits, defending insecure web apps, and implementing emerging web standards.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy