Initial Peek Confirmed the use of OAuth for their SSO system Able to read useragent info of the user Additional tracking data that is being captured Text slightly obscured since the username and ID: 642045
Download Presentation The PPT/PDF document "Burp Suite Analysis By Noah Berson" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Burp Suite Analysis
By Noah BersonSlide2
Initial Peek
Confirmed the use of OAuth for their SSO system
Able to read user-agent info of the user
Additional tracking data that is being capturedSlide3
Text slightly obscured since the username and
passwd
fields were visible in plaintext here for the post
Also visible in parameters easily, sorted data for the POSTSlide4
Logged In cookie
The parameters show a lot of information about the session, which would let someone spoof the session. It also shows the zip code of the user.
Advanced burp suite could modify the parameters in anyway it wishedSlide5
3
rd
party info
We can see the sites Comcast connects to for advertisements. oas.central.Comcast.net seems to be internal but is part of a different company, possibly a partnership
Rubicon project is a company based in LA for advertisements.