Hacking OAuth 2.0

Hacking OAuth 2.0

965caf9e63a25fa66d75b49ea87604cb?s=128

Marcin Hoppe

October 13, 2019
Tweet

Transcript

  1. 7.

    Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe
  2. 11.
  3. 13.

    Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
  4. 15.
  5. 16.
  6. 17.
  7. 18.
  8. 19.
  9. 20.
  10. 21.
  11. 22.
  12. 24.

    Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe
  13. 25.

    How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe
  14. 29.
  15. 30.

    Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe