Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking OAuth 2.0

Avatar for Marcin Hoppe Marcin Hoppe
October 13, 2019
Programming
0
53

Hacking OAuth 2.0

Avatar for Marcin Hoppe

Marcin Hoppe

October 13, 2019
Tweet

More Decks by Marcin Hoppe

See All by Marcin Hoppe
Przepraszam, czy można?
Avatar for Marcin Hoppe marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
Avatar for Marcin Hoppe marcinhoppe
0
64
JSON Web Tokens. Problemy i rozwiązania
Avatar for Marcin Hoppe marcinhoppe
0
130

Other Decks in Programming

See All in Programming
MDN Web Docs に日本語翻訳でコントリビュート
Avatar for uutan1108 ohmori_yusuke
0
650
そのAIレビュー、レビューしてますか? / Are you reviewing those AI reviews?
Avatar for r-kagaya rkaga
6
4.6k
Claude Codeと2つの巻き戻し戦略 / Two Rewind Strategies with Claude Code
Avatar for 果物リン fruitriin
0
110
フロントエンド開発の勘所 -複数事業を経験して見えた判断軸の違い-
Avatar for Yoichiro Kubo heimusu
7
2.8k
要求定義・仕様記述・設計・検証の手引き - 理論から学ぶ明確で統一された成果物定義
Avatar for Kuniwak orgachem
PRO
1
110
【卒業研究】会話ログ分析によるユーザーごとの関心に応じた話題提案手法
Avatar for MomokoShirakawa momok47
0
200
Amazon Bedrockを活用したRAGの品質管理パイプライン構築
Avatar for とすり tosuri13
5
720
AIによるイベントストーミング図からのコード生成 / AI-powered code generation from Event Storming diagrams
Avatar for nrs nrslib
2
1.9k
Grafana:建立系統全知視角的捷徑
Avatar for Blueswen blueswen
0
330
AI時代のキャリアプラン「技術の引力」からの脱出と「問い」へのいざない / tech-gravity
Avatar for MinoDriven minodriven
21
7.3k
Smart Handoff/Pickup ガイド - Claude Code セッション管理
Avatar for rasshii yukiigarashi
0
140
CSC307 Lecture 05
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
500

Featured

See All Featured
Applied NLP in the Age of Generative AI
Avatar for Ines Montani inesmontani
PRO
4
2k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
57
50k
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
110
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
Avatar for konakalab konakalab
0
350
Designing Powerful Visuals for Engaging Learning
Avatar for Mike Taylor tmiket
0
230
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
210
24k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
4.9k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.3M
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8k
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon szymonslowik
1
220
The Spectacular Lies of Maps
Avatar for Per Axbom axbom
PRO
1
520

Transcript

  1. Hacking
 
 
 OAuth 2.0 @marcin_hoppe

  2. Past, present, and future @marcin_hoppe ... told by one security

    team

  3. IDaaS Identity protocols Product security team @marcin_hoppe

  4. Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT

    WS-Federation

  5. @marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code

    access token

  6. How to test for security flaws? @marcin_hoppe

  7. Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe

  8. Good enough? @marcin_hoppe

  9. No, but a great start! @marcin_hoppe

  10. OAuth attack library Structured attack documentation Useful for offensive security

    crowd Automation! @marcin_hoppe
  11. None

  12. Meanwhile in the real world... @marcin_hoppe

  13. Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe

  14. Existing resources are generic! @marcin_hoppe

  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None

  23. Generic threat models do not cover this complexity! @marcin_hoppe

  24. Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe

  25. How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe

  26. Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs

    @marcin_hoppe

  27. Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent

  28. How to analyze FSMs? Threat modeling: STRIDE State bypass Session

    management @marcin_hoppe

  29. Takeaways Protocol testing is hard Existing resources: useful but generic

    FSMs help with specific systems @marcin_hoppe

  30. Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe

  31. Ask me anything! @marcin_hoppe