Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking OAuth 2.0

Avatar for Marcin Hoppe Marcin Hoppe
October 13, 2019
Programming
0
51

Hacking OAuth 2.0

Avatar for Marcin Hoppe

Marcin Hoppe

October 13, 2019
Tweet

More Decks by Marcin Hoppe

See All by Marcin Hoppe
Przepraszam, czy można?
Avatar for Marcin Hoppe marcinhoppe
0
28
Problemy z JSON Web Tokens ... i garść rozwiązań
Avatar for Marcin Hoppe marcinhoppe
0
60
JSON Web Tokens. Problemy i rozwiązania
Avatar for Marcin Hoppe marcinhoppe
0
130

Other Decks in Programming

See All in Programming
#kanrk08 / 公開版 PicoRubyとマイコンでの自作トレーニング計測装置を用いたワークアウトの理想と現実
Avatar for bash0C7 bash0c7
1
680
Systèmes distribués, pour le meilleur et pour le pire - BreizhCamp 2025 - Conférence
Avatar for Sébastien LECACHEUR slecache
0
120
生成AIコーディングとの向き合い方、AIと共創するという考え方 / How to deal with generative AI coding and the concept of co-creating with AI
Avatar for shiro seike seike460
PRO
1
350
Kotlin エンジニアへ送る:Swift 案件に参加させられる日に備えて~似てるけど色々違う Swift の仕様 / from Kotlin to Swift
Avatar for Elvis Shi lovee
1
260
Quand Symfony, ApiPlatform, OpenAI et LangChain s'allient pour exploiter vos PDF : de la théorie à la production…
Avatar for Ahmed EBEN HASSINE ahmedbhs123
0
130
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
Avatar for Hayato OKUMOTO falcon8823
5
1.1k
都市をデータで見るってこういうこと PLATEAU属性情報入門
Avatar for nokonoko1203 nokonoko1203
1
590
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
Avatar for hideki kinjyo o0h
PRO
1
250
VS Code Update for GitHub Copilot
Avatar for 74th(Atsushi Morimoto) 74th
2
610
High-Level Programming Languages in AI Era -Human Thought and Mind-
Avatar for Hayato Ishida hayat01sh1da
PRO
0
720
AIコーディング道場勉強会#2 君(エンジニア)たちはどう生きるか
Avatar for misaki.otb misakiotb
1
280
LINEヤフー データグループ紹介
Avatar for LINEヤフー株式会社 採用情報 lycorp_recruit_jp
0
2k

Featured

See All Featured
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
207
24k
Docker and Python
Avatar for Tania Allard trallard
44
3.5k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
31
8.7k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
17
950
Faster Mobile Websites
Avatar for Dean Hume deanohume
307
31k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
10
940
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
125
52k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
45
7.5k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k

Transcript

  1. Hacking
 
 
 OAuth 2.0 @marcin_hoppe

  2. Past, present, and future @marcin_hoppe ... told by one security

    team

  3. IDaaS Identity protocols Product security team @marcin_hoppe

  4. Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT

    WS-Federation

  5. @marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code

    access token

  6. How to test for security flaws? @marcin_hoppe

  7. Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe

  8. Good enough? @marcin_hoppe

  9. No, but a great start! @marcin_hoppe

  10. OAuth attack library Structured attack documentation Useful for offensive security

    crowd Automation! @marcin_hoppe
  11. None

  12. Meanwhile in the real world... @marcin_hoppe

  13. Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe

  14. Existing resources are generic! @marcin_hoppe

  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None

  23. Generic threat models do not cover this complexity! @marcin_hoppe

  24. Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe

  25. How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe

  26. Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs

    @marcin_hoppe

  27. Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent

  28. How to analyze FSMs? Threat modeling: STRIDE State bypass Session

    management @marcin_hoppe

  29. Takeaways Protocol testing is hard Existing resources: useful but generic

    FSMs help with specific systems @marcin_hoppe

  30. Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe

  31. Ask me anything! @marcin_hoppe