IBWAS’10   Bruno Pedro17 November 2010Is OAuth   ReallySecure?            http://www.flickr.com/photos/rooreynolds/23964188...
Bruno PedroA n e x p e r i e n c e d We b d e v e l o p e r a n dentrepreneur. Co-founder of tarpipe.com, asocial media pu...
Summary• What is OAuth?• Possible OWASP Top 10 threats• Possible solutions• Questions
What is OAuth?1. Authorization protocol (RFC 5849)
What is OAuth?2. Built on top of Google AuthSub,   Flickr Auth and others                        http://tinyurl.com/3yhys4n
What is OAuth?3. Authentication solution
What is OAuth?4. Available for Web, desktop and also   mobile and device applications
A1 - Injection           ask for tokenconsumer                   provider           receive token
A1 - Injection      ask for tokenmer                     provider   ve                                     rif            ...
A3 - Broken authentication consumer        API call     provider              access token              access secret• Wea...
A5 - CSRF                       http://tinyurl.com/38o3r93• End point might be open to CSRF• Possible user impersonation
A7 - InsecureCryptographic Storageconsumer     tokens   provider  database              database
A7 - Insecure           Cryptographic Storage                 access to        access tomer              consumer    all c...
A10 - Unvalidated redirects• After authorizing, user is redirected to a  callback URL• Callback might be an arbitrary value
Probably safeA2 — Cross Site ScriptingA4 — Insecure Direct Object ReferenceA6 — Security MisconfigurationA8 — Failure to Re...
Pay attention toA1 — InjectionA3 — Broken AuthenticationA5 — Cross Site Request ForgeryA7 — Insecure Cryptographic Storage...
Possible solutions• Encrypt all OAuth credentials  mitigates A3 and A7
Possible solutions• Generate verifiable consumer keys mitigates A1
Possible solutions• Throttle undesired usage  mitigates A1 and A3
More information• OAuth: http://oauth.net• OWASP: http://owasp.org• OAuth Checklist: http://oauthchecklist.org
Questions? Thank you!
Upcoming SlideShare
Loading in...5
×

Is OAuth Really Secure?

5,040

Published on

Slides from a talk I gave at IBWAS'10 in Lisbon, Portugal.

Abstract:
Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.
This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them.

While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,040
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
78
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • RFC only published in April 2010\n
  • Authorization - used most of the time\nAuthentication - 2 legged OAuth, “sign in with twitter”, no to be confused with OpenID\nBuilt as an Open Protocol on top of already existing solutions (Amazon,Yahoo)\n
  • Authorization - used most of the time\nAuthentication - 2 legged OAuth, “sign in with twitter”, no to be confused with OpenID\nBuilt as an Open Protocol on top of already existing solutions (Amazon,Yahoo)\n
  • \n
  • \n
  • Possible solution: verify tokens prior to database\n
  • Possible solutions: crypto, throttle\n
  • Possible solution: any CSRF solution\n
  • \n
  • Solution: crypto and more\n
  • Possible solution: fix callback to same domain or even same page\n
  • \n
  • \n
  • A3 - Broken authentication, A7 - Insecure cryptographic storage\n
  • A1 - Injection\n
  • A1 - Injection, A3 - Broken authentication\n
  • \n
  • \n
  • Is OAuth Really Secure?

    1. 1. IBWAS’10 Bruno Pedro17 November 2010Is OAuth ReallySecure? http://www.flickr.com/photos/rooreynolds/2396418896/
    2. 2. Bruno PedroA n e x p e r i e n c e d We b d e v e l o p e r a n dentrepreneur. Co-founder of tarpipe.com, asocial media publishing platform.http://tarpipe.com/user/bpedro
    3. 3. Summary• What is OAuth?• Possible OWASP Top 10 threats• Possible solutions• Questions
    4. 4. What is OAuth?1. Authorization protocol (RFC 5849)
    5. 5. What is OAuth?2. Built on top of Google AuthSub, Flickr Auth and others http://tinyurl.com/3yhys4n
    6. 6. What is OAuth?3. Authentication solution
    7. 7. What is OAuth?4. Available for Web, desktop and also mobile and device applications
    8. 8. A1 - Injection ask for tokenconsumer provider receive token
    9. 9. A1 - Injection ask for tokenmer provider ve rif yt receive token ok en database potential injection
    10. 10. A3 - Broken authentication consumer API call provider access token access secret• Weak or open access token and secret• Possible user impersonation
    11. 11. A5 - CSRF http://tinyurl.com/38o3r93• End point might be open to CSRF• Possible user impersonation
    12. 12. A7 - InsecureCryptographic Storageconsumer tokens provider database database
    13. 13. A7 - Insecure Cryptographic Storage access to access tomer consumer all consumers prov users and all users database database
    14. 14. A10 - Unvalidated redirects• After authorizing, user is redirected to a callback URL• Callback might be an arbitrary value
    15. 15. Probably safeA2 — Cross Site ScriptingA4 — Insecure Direct Object ReferenceA6 — Security MisconfigurationA8 — Failure to Restrict URL AccessA9 — Insuficient Transport Layer Protection
    16. 16. Pay attention toA1 — InjectionA3 — Broken AuthenticationA5 — Cross Site Request ForgeryA7 — Insecure Cryptographic StorageA10 — Unvalidated Redirects
    17. 17. Possible solutions• Encrypt all OAuth credentials mitigates A3 and A7
    18. 18. Possible solutions• Generate verifiable consumer keys mitigates A1
    19. 19. Possible solutions• Throttle undesired usage mitigates A1 and A3
    20. 20. More information• OAuth: http://oauth.net• OWASP: http://owasp.org• OAuth Checklist: http://oauthchecklist.org
    21. 21. Questions? Thank you!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×