Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
53
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
64
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
15年続くIoTサービスの SREエンジニアが挑む 分散トレーシング導入
melonps
2
200
Honoを使ったリモートMCPサーバでAIツールとの連携を加速させる!
tosuri13
1
180
CSC307 Lecture 04
javiergs
PRO
0
660
SourceGeneratorのススメ
htkym
0
200
AIによるイベントストーミング図からのコード生成 / AI-powered code generation from Event Storming diagrams
nrslib
2
1.9k
フロントエンド開発の勘所 -複数事業を経験して見えた判断軸の違い-
heimusu
7
2.8k
登壇資料を作る時に意識していること #登壇資料_findy
konifar
4
1.2k
AIによる開発の民主化を支える コンテキスト管理のこれまでとこれから
mulyu
3
300
Oxlintはいいぞ
yug1224
5
1.3k
0→1 フロントエンド開発 Tips🚀 #レバテックMeetup
bengo4com
0
570
Grafana:建立系統全知視角的捷徑
blueswen
0
330
MUSUBIXとは
nahisaho
0
130
Featured
See All Featured
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
170
Thoughts on Productivity
jonyablonski
74
5k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.7k
Building Applications with DynamoDB
mza
96
6.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.8k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
230
WENDY [Excerpt]
tessaabrams
9
36k
Making the Leap to Tech Lead
cromwellryan
135
9.7k
Become a Pro
speakerdeck
PRO
31
5.8k
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
220
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe
marcinhoppe
melonps
tosuri13
javiergs
htkym
nrslib
heimusu
konifar
mulyu
yug1224
bengo4com
blueswen
nahisaho
frankvandijk
jonyablonski
chriscoyier
keithpitt
bcantrill
mza
reverentgeek
baasie
tessaabrams
cromwellryan
speakerdeck
inesmontani
