Security updates link

chrome release schedule link


Credentitals Stealing mechanisms


pflags pldd pmap pstack -- Linux core analysis commands

1) Get the process ID of the suspect process:

# ps -eaf | grep -i  suspect_process, this gives process ID

#pstack core.<proc_id>
pstack proc_id > pstack_core.out : its gives call stack of a process
pmap  proc_id  > pmap_core.out


pmap lists 

Address:     start address of map
Kbytes:     size of map in kilobytes
RSS:     resident set size in kilobytes
Dirty:     dirty pages (both shared and private) in kilobytes
Mode:     permissions on map: read, write, execute, shared, private (copy on write)
Mapping:     '[ anon ]' for allocated memory, or '[ stack ]' for the program stack
Offset:     offset into the file
Device:     device name (major:minor)

pflags proc_id > pflags_core.out  : prints process flags
pldd  proc_id  > pldd_core.out : lists of the library loaded of the process.

OpenID Connect Flows and Endpoints


 Basic OpenID Connect Flow with major endpoints


OIDC EndPoint Description Output General EndPoint(Subject to custamization)
Issuer Endpoint/Base URL Its the parent URL, which forms as base url for other endpoints to access NA http://hostname/default
Authorization Endpoint used for authetication by resource owner az code /authorize
Token Endpoint used for retrieving access token access token /token
User Info Endpoint used for retrieving claims about user information user identity infomration /userinfo
Introspection Endpoint Rturns a current status by consuming access token or refresh token or ID token true/false /introspect
Revocation endpoint acts like termintion point for access token/ refresh token 200 OK, no tokens returned back /revoke
Logout endpoint logout underlying session of server. redirects to configured sign-in or output page /logout
Discovery endpoint List supported endpoints, signing algo suppoted, locale information Provider Metadata Endpoint /.well-known/openid-configuration

Sample Example
OIDC EndPoint Input Request Output Request
Authorize EndPoint
HTTP/1.1 302 Found
Token EndPoint POST /token HTTP/1.1
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store
Pragma: no-cache
"id_token":"eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso"
UserInfo EndPoint GET /userinfo HTTP/1.1
Authorization: Bearer SlAV32hkKG
custom claims based on scopes { "sub": "222222",
"name": "test User",
"given_name": "test",
"preferred_username": "zelensky",
"email": "", }
reference site:

AMR values

AMR and values

Open ID Connect supports AMR values for continuous authentication flows

Following questions will answered in the blog:

What is the AMR value in OpenID Connect?

What are the values supported

AMR stands for Authentication Methods References.

AMR is claim as part of JWT claims.

It is registered IANA "JSON Web Token Claims"

As per AMR is optional claim.

Example for a amr in jwt claim

amr: [ PWD,OPT]

amr: [POP]

 amr value is an array of case sensitive strings. 

 AMR Values and description

AMR is OAuth AMR values. 

AMR Description
PWD Password-based authentication
ne-time password, could be SMS OTP
wia Windows integrated authentication includes kerberos or ntlm
retina Biometric authentication based on retina
pop proof of possession, parent category for software and hardware keys
swk software key like certiifcte/td>
hwk hardware key like swipe card
sms Confirmation using SMS
tel Confirmation by telephone call
face facial bio metric authentication
fpt finger based bio metric authentication
geo geolocation information for authentication
kba Knowledge-based authentication
PIN pattern or pin number type of authentication
rba Risk based authentication

ads.txt, pub-2982252415955321, DIRECT, f08c47fec0942fa0

Authentication & Session Management practices for browser based flows.

Following are some guidelines that allow authentication process to be secure

For User Authentication

  • Credentials must not be stored in browsers or insensitive locations.
  • Application logs must not record sensitive data like password
  • Perform Two Factor Authentication
  • Login Request must happen using POST request over HTTPS.
  • Password reset must ask old password.
  • Password must mandate minimum character set and special characters.

Once the user logs in, session needs management.
For Session Management

 Prefer Host based cookies over domain based cookies.

  • Mandate Secure, HTTPS and SameSite Flags for Cookies.
  • Do not log Cookie information in logs.
  • Session Must have idle and MaxTime outs
  • Must support logout feature.
  • Must validate User on every cookie request
  • Allow Server level termination of session to allow blocking a already login user.
  • Option to cap on current sessions.
  • Cookie created needs needs hold client IP or any user  machine specific infomration to avoid replay attack.