Is OAuth Really Secure?

IBWAS’10 Bruno Pedro17 November 2010Is OAuth ReallySecure? http://www.ﬂickr.com/photos/rooreynolds/2396418896/

Bruno PedroA n e x p e r i e n c e d We b d e v e l o p e r a n dentrepreneur. Co-founder of tarpipe.com, asocial media publishing platform.http://tarpipe.com/user/bpedro

Summary• What is OAuth?• Possible OWASP Top 10 threats• Possible solutions• Questions

What is OAuth?1. Authorization protocol (RFC 5849)

What is OAuth?2. Built on top of Google AuthSub, Flickr Auth and others http://tinyurl.com/3yhys4n

What is OAuth?3. Authentication solution

What is OAuth?4. Available for Web, desktop and also mobile and device applications

A1 - Injection ask for tokenconsumer provider receive token

A1 - Injection ask for tokenmer provider ve rif yt receive token ok en database potential injection

A3 - Broken authentication consumer API call provider access token access secret• Weak or open access token and secret• Possible user impersonation

A5 - CSRF http://tinyurl.com/38o3r93• End point might be open to CSRF• Possible user impersonation

A7 - InsecureCryptographic Storageconsumer tokens provider database database

A7 - Insecure Cryptographic Storage access to access tomer consumer all consumers prov users and all users database database

A10 - Unvalidated redirects• After authorizing, user is redirected to a callback URL• Callback might be an arbitrary value

Probably safeA2 — Cross Site ScriptingA4 — Insecure Direct Object ReferenceA6 — Security MisconﬁgurationA8 — Failure to Restrict URL AccessA9 — Insuﬁcient Transport Layer Protection

Pay attention toA1 — InjectionA3 — Broken AuthenticationA5 — Cross Site Request ForgeryA7 — Insecure Cryptographic StorageA10 — Unvalidated Redirects

Possible solutions• Encrypt all OAuth credentials mitigates A3 and A7

Possible solutions• Generate veriﬁable consumer keys mitigates A1

Possible solutions• Throttle undesired usage mitigates A1 and A3

More information• OAuth: http://oauth.net• OWASP: http://owasp.org• OAuth Checklist: http://oauthchecklist.org

Questions? Thank you!

http://unfoldingtheweb.com	93
http://paper.li	2
http://www.linkedin.com	2
http://twitter.com	1
http://web1.conversationminer.com	1
http://feeds.feedburner.com	1

Is OAuth Really Secure?

by Bruno Pedro on Dec 17, 2010

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 100

Statistics

Is OAuth Really Secure? Presentation Transcript