Hacking OAuth 2.0

965caf9e63a25fa66d75b49ea87604cb?s=47 Marcin Hoppe
October 13, 2019
Programming
0
26

Hacking OAuth 2.0

965caf9e63a25fa66d75b49ea87604cb?s=128

Marcin Hoppe

October 13, 2019
Tweet

Want more?

965caf9e63a25fa66d75b49ea87604cb?s=48 marcinhoppe
0
8
965caf9e63a25fa66d75b49ea87604cb?s=48 marcinhoppe
0
25
965caf9e63a25fa66d75b49ea87604cb?s=48 marcinhoppe
0
100
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
4
200
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
97
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
85
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
5
180
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
5
170
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
2
230
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
3
450
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
120
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
210

Transcript

  1. 1.

    Hacking
 
 
 OAuth 2.0 @marcin_hoppe

  2. 2.

    Past, present, and future @marcin_hoppe ... told by one security

    team
  3. 3.

    IDaaS Identity protocols Product security team @marcin_hoppe

  4. 4.

    Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT

    WS-Federation
  5. 5.

    @marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code

    access token
  6. 6.

    How to test for security flaws? @marcin_hoppe

  7. 7.

    Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe
  8. 8.

    Good enough? @marcin_hoppe

  9. 9.

    No, but a great start! @marcin_hoppe

  10. 10.

    OAuth attack library Structured attack documentation Useful for offensive security

    crowd Automation! @marcin_hoppe
  11. 11.
    None
  12. 12.

    Meanwhile in the real world... @marcin_hoppe

  13. 13.

    Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
  14. 14.

    Existing resources are generic! @marcin_hoppe

  15. 15.
    None
  16. 16.
    None
  17. 17.
    None
  18. 18.
    None
  19. 19.
    None
  20. 20.
    None
  21. 21.
    None
  22. 22.
    None
  23. 23.

    Generic threat models do not cover this complexity! @marcin_hoppe

  24. 24.

    Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe
  25. 25.

    How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe
  26. 26.

    Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs

    @marcin_hoppe
  27. 27.

    Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent

  28. 28.

    How to analyze FSMs? Threat modeling: STRIDE State bypass Session

    management @marcin_hoppe
  29. 29.

    Takeaways Protocol testing is hard Existing resources: useful but generic

    FSMs help with specific systems @marcin_hoppe
  30. 30.

    Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
  31. 31.

    Ask me anything! @marcin_hoppe