Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking OAuth 2.0

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Marcin Hoppe Marcin Hoppe
October 13, 2019
Programming
0
53

Hacking OAuth 2.0

Avatar for Marcin Hoppe

Marcin Hoppe

October 13, 2019
Tweet

More Decks by Marcin Hoppe

See All by Marcin Hoppe
Przepraszam, czy można?
Avatar for Marcin Hoppe marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
Avatar for Marcin Hoppe marcinhoppe
0
64
JSON Web Tokens. Problemy i rozwiązania
Avatar for Marcin Hoppe marcinhoppe
0
130

Other Decks in Programming

See All in Programming
ぼくの開発環境2026
Avatar for yuzneri yuzneri
0
230
MDN Web Docs に日本語翻訳でコントリビュート
Avatar for uutan1108 ohmori_yusuke
0
650
Rust 製のコードエディタ “Zed” を使ってみた
Avatar for NearMeの技術発表資料です nearme_tech
PRO
0
180
CSC307 Lecture 08
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
670
今から始めるClaude Code超入門
Avatar for 448jp | OKI Yoshiya 448jp
8
8.8k
izumin5210のプロポーザルのネタ探し #tskaigi_msup
Avatar for izumin5210 izumin5210
1
130
CSC307 Lecture 09
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
840
プロダクトオーナーから見たSOC2 _SOC2ゆるミートアップ#2
Avatar for Kenta Suzuki kekekenta
0
220
CSC307 Lecture 07
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
550
今こそ知るべき耐量子計算機暗号(PQC)入門 / PQC: What You Need to Know Now
Avatar for mackey0225 mackey0225
3
380
Smart Handoff/Pickup ガイド - Claude Code セッション管理
Avatar for rasshii yukiigarashi
0
140
Honoを使ったリモートMCPサーバでAIツールとの連携を加速させる!
Avatar for とすり tosuri13
1
180

Featured

See All Featured
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
58k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
273
27k
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
527
40k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
Avatar for Greg Gifford greggifford
PRO
0
78
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
500
Kristin Tynski - Automating Marketing Tasks With AI
Avatar for Tech SEO Connect techseoconnect
PRO
0
140
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
240
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
2
260
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
37
7.1k

Transcript

  1. Hacking
 
 
 OAuth 2.0 @marcin_hoppe

  2. Past, present, and future @marcin_hoppe ... told by one security

    team

  3. IDaaS Identity protocols Product security team @marcin_hoppe

  4. Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT

    WS-Federation

  5. @marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code

    access token

  6. How to test for security flaws? @marcin_hoppe

  7. Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe

  8. Good enough? @marcin_hoppe

  9. No, but a great start! @marcin_hoppe

  10. OAuth attack library Structured attack documentation Useful for offensive security

    crowd Automation! @marcin_hoppe
  11. None

  12. Meanwhile in the real world... @marcin_hoppe

  13. Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe

  14. Existing resources are generic! @marcin_hoppe

  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None

  23. Generic threat models do not cover this complexity! @marcin_hoppe

  24. Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe

  25. How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe

  26. Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs

    @marcin_hoppe

  27. Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent

  28. How to analyze FSMs? Threat modeling: STRIDE State bypass Session

    management @marcin_hoppe

  29. Takeaways Protocol testing is hard Existing resources: useful but generic

    FSMs help with specific systems @marcin_hoppe

  30. Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe

  31. Ask me anything! @marcin_hoppe