Closed whoisjeremylam closed 9 years ago
The nonce is stored in the HTTP header which is not part of the calculated signature, thus allowing it to be easily modified in a replay attack.
The nonce needs to be moved into the body of the payload as an optional element.
If it is specified, then it should be checked.
fixed
The nonce is stored in the HTTP header which is not part of the calculated signature, thus allowing it to be easily modified in a replay attack.
The nonce needs to be moved into the body of the payload as an optional element.
If it is specified, then it should be checked.