Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking OAuth 2.0

Hacking OAuth 2.0

Marcin Hoppe

October 13, 2019
Tweet

More Decks by Marcin Hoppe

Other Decks in Programming

Transcript

  1. Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe
  2. Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
  3. Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe
  4. How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe
  5. Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe