In the case of Attack scenario 2, I do not get why in a secure design you would ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		asimops 11 months ago \| parent \| context \| favorite \| on: Unexpected security footguns in Go's parsers In the case of Attack scenario 2, I do not get why in a secure design you would ever forward the client originating data to the auth service. This is more of a broken best practise then a footgun to me. The logic should be "Parse, don't validate"[0] and after that you work on those parsed data. [0]: https://hn.algolia.com/?q=https%3A%2F%2Flexi-lambda.github.i...

securesaml 11 months ago [–]

See: https://bsky.app/profile/filippo.abyssdomain.expert/post/3le... that was about a signature wrapping attack in crypto, but it also applies here.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact