Yevhen Teleshyk - OAuth Phishing

Transcript

1. Yevhen Teleshyk
   Phishing Threats to
   Cloud Users
   

   View Slide

2. Phishing
   - spear phishing
   - clone phishing
   - whaling
   

   View Slide

3. OAuth2
   Application
   Authorization
   server
   Resource
   Server
   Resource
   owner
   Authorization request
   Authorization grant
   Authorization grant
   Access Token
   Protected Resource
   Access Token
   

   View Slide

4. Registration
   

   View Slide

5. Authorizations request
   Application
   Resource
   owner
   Authorization request
   https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_
   type=code&client_id={}&redirect_uri={}&scope={}
   

   View Slide

6. Scopes
   

   View Slide

7. Authorization grant
   

   View Slide

8. OAuth2
   Application
   Authorization
   server
   Access Token
   

   View Slide

9. JWT
   JWT=
   eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2Y
   TctODkwYS0yNzRhNzJhNzMwOWUiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm
   5ldC83ZmU4MTQ0Ny1kYTU3LTQzODUtYmVjYi02ZGU1N2YyMTQ3N2UvIiwiaWF0Ijo
   xMzg4NDQwODYzLCJuYmYiOjEzODg0NDA4NjMsImV4cCI6MTM4ODQ0NDc2Mywid
   mVyIjoiMS4wIiwidGlkIjoiN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0Nzd
   lIiwib2lkIjoiNjgzODlhZTItNjJmYS00YjE4LTkxZmUtNTNkZDEwOWQ3NGY1IiwidXBuIjoi
   ZnJhbmttQGNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJmcmFua21AY29udG9zby5j
   b20iLCJzdWIiOiJKV3ZZZENXUGhobHBTMVpzZjd5WVV4U2hVd3RVbTV5elBtd18talg
   zZkhZIiwiZmFtaWx5X25hbWUiOiJNaWxsZXIiLCJnaXZlbl9uYW1lIjoiRnJhbmsifQ.iwid
   W5pcXVlX25hbWUiOiJmcmFua21
   JWT = base64(header.payload.signature)
   Header = {"typ","nonce","alg","x5t","kid"}
   Payload = {"aud":"https://graph.microsoft.com","iss","iat","nbf",
   "exp","acr","aio","amr","app_displayname","appid","appidacr",
   "family_name","given_name","ipaddr","name","oid","onprem_sid",
   "platf","puid","scp","sub","tid","unique_name","upn","uti","ver"}
   

   View Slide

10. Revoking
    

    View Slide

11. Questions?
    

    View Slide

12. References:
    • https://tools.ietf.org/html/rfc6749
    • https://msdn.microsoft.com/en-us/office/office365/api/mail-rest-operations
    • https://docs.microsoft.com/en-us/outlook/rest/node-tutorial#using-the-mail-api
    • https://www.elevenpaths.com/new-ransomcloud-o365-report/index.html
    

    View Slide