Closed whoisjeremylam closed 9 years ago
The nonce is stored in the HTTP header which is not part of the calculated signature, thus allowing it to be easily modified in a replay attack.
The nonce needs to be moved into the body of the payload as an optional element.
If it is specified, then it should be checked.
fixed
bbaas1
commented
9 years ago bbaas1
commented
9 years ago
The nonce is stored in the HTTP header which is not part of the calculated signature, thus allowing it to be easily modified in a replay attack.
The nonce needs to be moved into the body of the payload as an optional element.
If it is specified, then it should be checked.