Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Is OAuth Really Secure?


Published on

Slides from a talk I gave at IBWAS'10 in Lisbon, Portugal.

Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.
This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them.

While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.

Published in: Technology
  • Be the first to comment

Is OAuth Really Secure?

  1. 1. IBWAS’10 Bruno Pedro17 November 2010Is OAuth ReallySecure?
  2. 2. Bruno PedroA n e x p e r i e n c e d We b d e v e l o p e r a n dentrepreneur. Co-founder of, asocial media publishing platform.
  3. 3. Summary• What is OAuth?• Possible OWASP Top 10 threats• Possible solutions• Questions
  4. 4. What is OAuth?1. Authorization protocol (RFC 5849)
  5. 5. What is OAuth?2. Built on top of Google AuthSub, Flickr Auth and others
  6. 6. What is OAuth?3. Authentication solution
  7. 7. What is OAuth?4. Available for Web, desktop and also mobile and device applications
  8. 8. A1 - Injection ask for tokenconsumer provider receive token
  9. 9. A1 - Injection ask for tokenmer provider ve rif yt receive token ok en database potential injection
  10. 10. A3 - Broken authentication consumer API call provider access token access secret• Weak or open access token and secret• Possible user impersonation
  11. 11. A5 - CSRF• End point might be open to CSRF• Possible user impersonation
  12. 12. A7 - InsecureCryptographic Storageconsumer tokens provider database database
  13. 13. A7 - Insecure Cryptographic Storage access to access tomer consumer all consumers prov users and all users database database
  14. 14. A10 - Unvalidated redirects• After authorizing, user is redirected to a callback URL• Callback might be an arbitrary value
  15. 15. Probably safeA2 — Cross Site ScriptingA4 — Insecure Direct Object ReferenceA6 — Security MisconfigurationA8 — Failure to Restrict URL AccessA9 — Insuficient Transport Layer Protection
  16. 16. Pay attention toA1 — InjectionA3 — Broken AuthenticationA5 — Cross Site Request ForgeryA7 — Insecure Cryptographic StorageA10 — Unvalidated Redirects
  17. 17. Possible solutions• Encrypt all OAuth credentials mitigates A3 and A7
  18. 18. Possible solutions• Generate verifiable consumer keys mitigates A1
  19. 19. Possible solutions• Throttle undesired usage mitigates A1 and A3
  20. 20. More information• OAuth:• OWASP:• OAuth Checklist:
  21. 21. Questions? Thank you!