oauth 2.0 & security considerations
TRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OAuth 2.0 & Security Considerations
Vaibhav GuptaTwitter: @VaibhavGupta_1
Blog: exploits.workDelhi Chapter Meet – 30 July 2016
OWASP 2
Agenda
Agenda (recursion! #GeekHumour :-P)
Problem Statement: Why OAuth?
What is OAuth? Typical OAuth Dance Lets talk security!
OWASP
Disclaimer!
OAuth has a lot of stuff to cover and given the time constraints, I will stick to the
important ones
3
OWASP
Problem Statement: Why OAuth?
Password sharing anti-pattern
4
Resource owner (You!)
Client (Photo Printing Service)
Protected Resource(facebook.com)
Aim: To give client access to theprotected resource on behalf
of resource owner
OWASP
What is OAuth
Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token”
5
OWASP 6
So you think I am understanding it !!
OWASP
Typical OAuth 2.0 Dance Party!
Here are the invitees: Resource owner
Protected resource
Client
Authorization server
7
OWASP 8
Image: OAuth 2 in action
OWASP 9
OWASP 10
Image: OAuth 2 in action
OWASP
Let’s Talk Security!
CSRF – “state” parameter [Client Vuln]<img src=“
https://photoprinting.local/callback?code=Attacker_Auth_Code”>
11
Image: OAuth 2 in action
OWASP
“redirect_uri” mismatch [Auth Server Vuln.]
How about stealing auth code from referrer header?
A lot others!! Time constraint
12
OWASP
References
OAuth 2.0 Specshttp://tools.ietf.org/html/rfc6749
OAuth 2.0 – Threat modelhttps://tools.ietf.org/html/rfc6819
Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso
13
OWASP 14
Questions?