Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking OAuth 2.0

Avatar for Marcin Hoppe Marcin Hoppe
October 13, 2019
Programming
0
53

Hacking OAuth 2.0

Avatar for Marcin Hoppe

Marcin Hoppe

October 13, 2019
Tweet

More Decks by Marcin Hoppe

See All by Marcin Hoppe
Przepraszam, czy można?
Avatar for Marcin Hoppe marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
Avatar for Marcin Hoppe marcinhoppe
0
64
JSON Web Tokens. Problemy i rozwiązania
Avatar for Marcin Hoppe marcinhoppe
0
130

Other Decks in Programming

See All in Programming
CSC307 Lecture 03
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
490
Spinner 軸ズレ現象を調べたらレンダリング深淵に飲まれた #レバテックMeetup
Avatar for 弁護士ドットコム bengo4com
1
230
Data-Centric Kaggle
Avatar for ねぼすけAI isax1015
2
770
AI Agent の開発と運用を支える Durable Execution #AgentsInProd
Avatar for izumin5210 izumin5210
7
2.3k
Unicodeどうしてる? PHPから見たUnicode対応と他言語での対応についてのお伺い
Avatar for てきめん tekimen youkidearitai
PRO
1
2.5k
CSC307 Lecture 01
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
690
0→1 フロントエンド開発 Tips🚀 #レバテックMeetup
Avatar for 弁護士ドットコム bengo4com
0
570
フルサイクルエンジニアリングをAI Agentで全自動化したい 〜構想と現在地〜
Avatar for Kaito Minatoya kamina_zzz
0
400
そのAIレビュー、レビューしてますか? / Are you reviewing those AI reviews?
Avatar for r-kagaya rkaga
6
4.6k
FOSDEM 2026: STUNMESH-go: Building P2P WireGuard Mesh Without Self-Hosted Infrastructure
Avatar for Date Huang tjjh89017
0
170
Vibe Coding - AI 驅動的軟體開發
Avatar for Micky Li mickyp100
0
180
Implementation Patterns
Avatar for Denys Poltorak denyspoltorak
0
290

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
14k
Ethics towards AI in product and experience design
Avatar for Skipper Chong Warson skipperchong
2
190
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
140
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1.1k
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
4.9k
Lightning Talk: Beautiful Slides for Beginners
Avatar for Ines Montani inesmontani
PRO
1
440
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
9.5k
Mind Mapping
Avatar for Hélio Medeiros helmedeiros
PRO
0
86
State of Search Keynote: SEO is Dead Long Live SEO
Avatar for Ryan Jones ryanjones
0
120
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
9.9k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
910

Transcript

  1. Hacking
 
 
 OAuth 2.0 @marcin_hoppe

  2. Past, present, and future @marcin_hoppe ... told by one security

    team

  3. IDaaS Identity protocols Product security team @marcin_hoppe

  4. Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT

    WS-Federation

  5. @marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code

    access token

  6. How to test for security flaws? @marcin_hoppe

  7. Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe

  8. Good enough? @marcin_hoppe

  9. No, but a great start! @marcin_hoppe

  10. OAuth attack library Structured attack documentation Useful for offensive security

    crowd Automation! @marcin_hoppe
  11. None

  12. Meanwhile in the real world... @marcin_hoppe

  13. Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe

  14. Existing resources are generic! @marcin_hoppe

  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None

  23. Generic threat models do not cover this complexity! @marcin_hoppe

  24. Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe

  25. How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe

  26. Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs

    @marcin_hoppe

  27. Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent

  28. How to analyze FSMs? Threat modeling: STRIDE State bypass Session

    management @marcin_hoppe

  29. Takeaways Protocol testing is hard Existing resources: useful but generic

    FSMs help with specific systems @marcin_hoppe

  30. Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe

  31. Ask me anything! @marcin_hoppe