Advertisement
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing

Check these out next

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
UA Mobile
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your Application
Fernando Lopez Aguilar
OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3
Don Kim
How to get rid of terraform plan diffs
How to get rid of terraform plan diffs
Yukiya Hayashi
1 of 12

Yevhen Teleshyk - OAuth Phishing

Mar. 4, 2018
Download to read offline
Technology

Phishing Threats to Cloud Users

OWASP Kyiv
OWASP Kyiv
Advertisement
Advertisement
Advertisement

Recommended

Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsFiyaz Hasan267 views13 slides
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko173 views30 slides
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman3.3K views49 slides
IdM and ACIdM and AC
IdM and ACFernando Lopez Aguilar2.5K views43 slides
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek2.2K views16 slides
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL6.2K views15 slides

More Related Content

Slideshows for you(19)

REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd8K views
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc49.2K views
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
OpenId and OAuth2: Rear, Medium, Well Done - UA Mobile 2019
UA Mobile122 views
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your Application
Fernando Lopez Aguilar3.1K views
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen4.5K views
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi548 views
Design and Analyze Secure Networked Systems - 3Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3
Don Kim35 views
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
Yukiya Hayashi679 views
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc2.9K views
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology2K views
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut5.2K views
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?
VMware Tanzu269 views
D@W REST securityD@W REST security
D@W REST security
Gaurav Sharma474 views
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy685 views
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc6K views
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath12K views
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible876 views
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar696 views
JSON Web TokenJSON Web Token
JSON Web Token
Deddy Setyadi1.5K views

Similar to Yevhen Teleshyk - OAuth Phishing(20)

A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 example
Mattia Reggiani4.6K views
OAuth in the WildOAuth in the Wild
OAuth in the Wild
Victor Rentea165 views
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi22.4K views
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible168 views
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible605 views
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk338 views
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion1.2K views
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters1.2K views
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka176 views
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra1.9K views
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
Luca Mearelli8.1K views
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar1.9K views
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible707 views
MQTT securityMQTT security
MQTT security
Anthony Chow1.5K views
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
Clément OUDOT1.6K views
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox117 views
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management996 views
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy203 views
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible1.5K views
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl a socio unico35 views
Advertisement

More from OWASP Kyiv(20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv245 views
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv197 views
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv153 views
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv590 views
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv693 views
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv466 views
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv2.4K views
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv432 views
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv524 views
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv590 views
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv344 views
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv815 views
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
OWASP Kyiv343 views
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv1.1K views
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv647 views
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv1.5K views
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv636 views
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv412 views
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv370 views
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv547 views

Recently uploaded(20)

independent researcherindependent researcher
independent researcher
amanvijayjindal0 views
Trane THT2212-SPST Therm Cutoff; 265Op 35C-PartsHnC.pdfTrane THT2212-SPST Therm Cutoff; 265Op 35C-PartsHnC.pdf
Trane THT2212-SPST Therm Cutoff; 265Op 35C-PartsHnC.pdf
PartsHnC Hvac Parts0 views
Vin secure solutions PPT (1).pdfVin secure solutions PPT (1).pdf
Vin secure solutions PPT (1).pdf
vin secure solutions0 views
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro0 views
Cloud Forensics ToolsCloud Forensics Tools
Cloud Forensics Tools
Christopher Doman0 views
Evolución de una arquitectura monolítica hacia decoupled commerce en un retai...Evolución de una arquitectura monolítica hacia decoupled commerce en un retai...
Evolución de una arquitectura monolítica hacia decoupled commerce en un retai...
Marcos Pueyrredon0 views
The Benefits of Adopting the Lamp Tech Stack: A Comprehensive Guide:The Benefits of Adopting the Lamp Tech Stack: A Comprehensive Guide:
The Benefits of Adopting the Lamp Tech Stack: A Comprehensive Guide:
Brain Inventory0 views
Valere Project Portfolio June 2023Valere Project Portfolio June 2023
Valere Project Portfolio June 2023
Alexander Turgeon0 views
Temporary Tattoo.pdfTemporary Tattoo.pdf
Temporary Tattoo.pdf
DevDeshpande23 views
trackingSpoofedIp.pptxtrackingSpoofedIp.pptx
trackingSpoofedIp.pptx
BincySam20 views
Using Data-Driven Agile Automation to Advance Digital TransformationUsing Data-Driven Agile Automation to Advance Digital Transformation
Using Data-Driven Agile Automation to Advance Digital Transformation
Precisely0 views
W-6-7-Ch-5-Tank Suspension system.pptxW-6-7-Ch-5-Tank Suspension system.pptx
W-6-7-Ch-5-Tank Suspension system.pptx
vishnoo70 views
Untitled presentation.pdfUntitled presentation.pdf
Untitled presentation.pdf
SompriyaNarayanaTiwa0 views
UNCOVERING MYTHS ABOUT CLOUD COMPUTING - IS IT.pptxUNCOVERING MYTHS ABOUT CLOUD COMPUTING - IS IT.pptx
UNCOVERING MYTHS ABOUT CLOUD COMPUTING - IS IT.pptx
OsazeeOboh0 views
Open Data Center Interconnect Products and Solutions Brochure -GL.pdfOpen Data Center Interconnect Products and Solutions Brochure -GL.pdf
Open Data Center Interconnect Products and Solutions Brochure -GL.pdf
Gigalight3 views
Python Sets_Dictionary.pptxPython Sets_Dictionary.pptx
Python Sets_Dictionary.pptx
M Vishnuvardhan Reddy0 views
W-2-Ch-2-Intro to Power plants.pptW-2-Ch-2-Intro to Power plants.ppt
W-2-Ch-2-Intro to Power plants.ppt
vishnoo70 views
Hologram Hologram
Hologram
Butterfly education 0 views
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
Jose Manuel Ortega Candel0 views
Wireless Computing in 6 slides.pptxWireless Computing in 6 slides.pptx
Wireless Computing in 6 slides.pptx
Mari Xxx0 views
Advertisement

Yevhen Teleshyk - OAuth Phishing

  1. Yevhen Teleshyk Phishing Threats to Cloud Users
  2. Phishing - spear phishing - clone phishing - whaling
  3. OAuth2 Application Authorization server Resource Server Resource owner Authorization request Authorization grant Authorization grant Access Token Protected Resource Access Token
  4. Registration
  5. Authorizations request Application Resource owner Authorization request https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_ type=code&client_id={}&redirect_uri={}&scope={}
  6. Scopes
  7. Authorization grant
  8. OAuth2 Application Authorization server Access Token
  9. JWT JWT= eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2Y TctODkwYS0yNzRhNzJhNzMwOWUiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm 5ldC83ZmU4MTQ0Ny1kYTU3LTQzODUtYmVjYi02ZGU1N2YyMTQ3N2UvIiwiaWF0Ijo xMzg4NDQwODYzLCJuYmYiOjEzODg0NDA4NjMsImV4cCI6MTM4ODQ0NDc2Mywid mVyIjoiMS4wIiwidGlkIjoiN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0Nzd lIiwib2lkIjoiNjgzODlhZTItNjJmYS00YjE4LTkxZmUtNTNkZDEwOWQ3NGY1IiwidXBuIjoi ZnJhbmttQGNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJmcmFua21AY29udG9zby5j b20iLCJzdWIiOiJKV3ZZZENXUGhobHBTMVpzZjd5WVV4U2hVd3RVbTV5elBtd18talg zZkhZIiwiZmFtaWx5X25hbWUiOiJNaWxsZXIiLCJnaXZlbl9uYW1lIjoiRnJhbmsifQ.iwid W5pcXVlX25hbWUiOiJmcmFua21 JWT = base64(header.payload.signature) Header = {"typ","nonce","alg","x5t","kid"} Payload = {"aud":"https://graph.microsoft.com","iss","iat","nbf", "exp","acr","aio","amr","app_displayname","appid","appidacr", "family_name","given_name","ipaddr","name","oid","onprem_sid", "platf","puid","scp","sub","tid","unique_name","upn","uti","ver"}
  10. Revoking
  11. Questions?
  12. References: • https://tools.ietf.org/html/rfc6749 • https://msdn.microsoft.com/en-us/office/office365/api/mail-rest-operations • https://docs.microsoft.com/en-us/outlook/rest/node-tutorial#using-the-mail-api • https://www.elevenpaths.com/new-ransomcloud-o365-report/index.html
Advertisement