Successfully reported this slideshow.

Is OAuth Really Secure?

5

Share

Dec. 17, 2010
5 likes 6,333 views
Upcoming SlideShare
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Loading in …3
×
1 of 21
1 of 21

Is OAuth Really Secure?

Dec. 17, 2010
5 likes 6,333 views

5

Share

Download to read offline

Technology

Slides from a talk I gave at IBWAS'10 in Lisbon, Portugal.

Abstract:
Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.
This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them.

While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.

Slides from a talk I gave at IBWAS'10 in Lisbon, Portugal.

Abstract:
Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.
This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them.

While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.

Technology

Recommended

More Related Content

Similar to Is OAuth Really Secure?

Kerberos
Sparkbit
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
Sam Bowne
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
Stateless Auth using OAuth2 & JWT
Gaurav Roy
My app is secure... I think
Wim Godden
Secure Web Services
Rob Daigneau
Oauth
立晨 代
Spring4 security oauth2
axykim00
Owasp mobile top 10
Pawel Rzepa
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
Twitter OAuth With C#/.NET Code
Mohamed Meligy
Web 2.0: The How Of OAuth
nullstyle
Presentation sso design_security
Marco Morana
Applying OWASP web security testing guide (OWSTG)
Vandana Verma
My app is secure... I think
Wim Godden
NMI15 Filip Chytrý – Internet věcí a jeho potenciální bezpečnostní rizika
New Media Inspiration
Essential security measures in ASP.NET MVC
Rafał Hryniewski
The Identity Problem of the Web and how to solve it
Bastian Hofmann
Spring security oauth2
axykim00
1000 ways to die in mobile oauth
Priyanka Aash

More from Bruno Pedro

What are Web APIs
Bruno Pedro
Growing your business with an API
Bruno Pedro
Product growth with an API
Bruno Pedro
How to grow your business with an API
Bruno Pedro
APIs Love to Chat
Bruno Pedro
How to Automate API Testing
Bruno Pedro
Asynchronous Microservices in nodejs
Bruno Pedro
How to Automate API Discovery
Bruno Pedro
Api Design & The Paris Subway
Bruno Pedro
The importance of /me
Bruno Pedro
Maintainable consumers
Bruno Pedro
API Code Generation
Bruno Pedro
Bridging the Gap Between APIs and Customers
Bruno Pedro
Who's using your API?
Bruno Pedro
node-fs
Bruno Pedro
Link extraction and classification
Bruno Pedro
tarpipe WordPress plugin demo
Bruno Pedro
OAuth checklist
Bruno Pedro
Everything OAuth
Bruno Pedro
The Executable Web
Bruno Pedro

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Understanding Media: The Extensions of Man Marshall McLuhan
(4/5)
Free
The Art of War Sun Tsu
(3/5)
Free
The Victorian Internet: The Remarkable Story of the Telegraph and the Nineteenth Century's On-line Pioneers Tom Standage
(3.5/5)
Free
Uncommon Carriers John McPhee
(3.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free

Is OAuth Really Secure?

  1. 1. IBWAS’10 Bruno Pedro 17 November 2010 Is OAuth Really Secure? http://www.flickr.com/photos/rooreynolds/2396418896/
  2. 2. Bruno Pedro A n e x p e r i e n c e d We b d e v e l o p e r a n d entrepreneur. Co-founder of tarpipe.com, a social media publishing platform. http://tarpipe.com/user/bpedro
  3. 3. Summary • What is OAuth? • Possible OWASP Top 10 threats • Possible solutions • Questions
  4. 4. What is OAuth? 1. Authorization protocol (RFC 5849)
  5. 5. What is OAuth? 2. Built on top of Google AuthSub, Flickr Auth and others http://tinyurl.com/3yhys4n
  6. 6. What is OAuth? 3. Authentication solution
  7. 7. What is OAuth? 4. Available for Web, desktop and also mobile and device applications
  8. 8. A1 - Injection ask for token consumer provider receive token
  9. 9. A1 - Injection ask for token mer provider ve rif yt receive token ok en database potential injection
  10. 10. A3 - Broken authentication consumer API call provider access token access secret • Weak or open access token and secret • Possible user impersonation
  11. 11. A5 - CSRF http://tinyurl.com/38o3r93 • End point might be open to CSRF • Possible user impersonation
  12. 12. A7 - Insecure Cryptographic Storage consumer tokens provider database database
  13. 13. A7 - Insecure Cryptographic Storage access to access to mer consumer all consumers prov users and all users database database
  14. 14. A10 - Unvalidated redirects • After authorizing, user is redirected to a callback URL • Callback might be an arbitrary value
  15. 15. Probably safe A2 — Cross Site Scripting A4 — Insecure Direct Object Reference A6 — Security Misconfiguration A8 — Failure to Restrict URL Access A9 — Insuficient Transport Layer Protection
  16. 16. Pay attention to A1 — Injection A3 — Broken Authentication A5 — Cross Site Request Forgery A7 — Insecure Cryptographic Storage A10 — Unvalidated Redirects
  17. 17. Possible solutions • Encrypt all OAuth credentials mitigates A3 and A7
  18. 18. Possible solutions • Generate verifiable consumer keys mitigates A1
  19. 19. Possible solutions • Throttle undesired usage mitigates A1 and A3
  20. 20. More information • OAuth: http://oauth.net • OWASP: http://owasp.org • OAuth Checklist: http://oauthchecklist.org
  21. 21. Questions? Thank you!

Editor's Notes

  • \n
  • \n
  • \n
  • RFC only published in April 2010\n
  • Authorization - used most of the time\nAuthentication - 2 legged OAuth, “sign in with twitter”, no to be confused with OpenID\nBuilt as an Open Protocol on top of already existing solutions (Amazon,Yahoo)\n
  • Authorization - used most of the time\nAuthentication - 2 legged OAuth, “sign in with twitter”, no to be confused with OpenID\nBuilt as an Open Protocol on top of already existing solutions (Amazon,Yahoo)\n
  • \n
  • \n
  • Possible solution: verify tokens prior to database\n
  • Possible solutions: crypto, throttle\n
  • Possible solution: any CSRF solution\n
  • \n
  • Solution: crypto and more\n
  • Possible solution: fix callback to same domain or even same page\n
  • \n
  • \n
  • A3 - Broken authentication, A7 - Insecure cryptographic storage\n
  • A1 - Injection\n
  • A1 - Injection, A3 - Broken authentication\n
  • \n
  • \n

    • ×