OAuth 2.0 & Security Considerations

Vaibhav Gupta
Vaibhav GuptaSecurity Researcher at Adobe
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OAuth 2.0 & Security
Considerations
Vaibhav Gupta
Twitter: @VaibhavGupta_1
Blog: exploits.workDelhi Chapter Meet – 30 July 2016
OWASP 2
Agenda
Agenda (recursion! #GeekHumour :-P)
Problem Statement: Why
OAuth?
What is OAuth?
Typical OAuth Dance
Lets talk security!
OWASP
Disclaimer!
OAuth has a lot of stuff to cover and given the time
constraints, I will stick to the important ones 
3
OWASP
Problem Statement: Why OAuth?
Password sharing anti-pattern
4
Resource owner
(You!)
Client
(Photo Printing Service)
Protected Resource
(facebook.com)
Aim:
To give client access to the
protected resource on behalf
of resource owner
OWASP
What is OAuth
Authorization (not authentication!) framework
Security delegation protocol
Based on token
How to “get token” and how to “use token”
5
OWASP 6
So you think I am understanding it !!
OWASP
Typical OAuth 2.0 Dance Party!
Here are the invitees:
Resource owner
Protected resource
Client
Authorization server
7
OWASP 8
Image: OAuth 2 in action
OWASP 9
OWASP 10
Image: OAuth 2 in action
OWASP
Let’s Talk Security!
CSRF – “state” parameter [Client Vuln]
<img src=“
https://photoprinting.local/callback?code=Attacker_Auth_Code
”>
11
Image: OAuth 2 in action
OWASP
“redirect_uri” mismatch [Auth Server Vuln.]
How about stealing auth code from referrer
header?
A lot others!! Time constraint 
12
OWASP
References
OAuth 2.0 Specs
http://tools.ietf.org/html/rfc6749
OAuth 2.0 – Threat model
https://tools.ietf.org/html/rfc6819
Book: “OAuth 2 in Action” by Justin Richer and
Antonio Sanso
13
OWASP 14
Questions?
1 of 14

Recommended

Security Automation using ZAP by
Security Automation using ZAPSecurity Automation using ZAP
Security Automation using ZAPVaibhav Gupta
1.2K views18 slides
Application Security Risk Rating by
Application Security Risk RatingApplication Security Risk Rating
Application Security Risk RatingVaibhav Gupta
2.5K views23 slides
REST API Security: OAuth 2.0, JWTs, and More! by
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
7.8K views69 slides
Security Training: #3 Threat Modelling - Practices and Tools by
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
14.1K views54 slides
OAuth for your API - The Big Picture by
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
31.8K views49 slides
Stateless authentication with OAuth 2 and JWT - JavaZone 2015 by
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
28.3K views81 slides

More Related Content

Similar to OAuth 2.0 & Security Considerations

A How-to Guide to OAuth & API Security by
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
7K views14 slides
Owasp london training course 2010 - Matteo Meucci by
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
7.7K views54 slides
OAuth you said by
OAuth you saidOAuth you said
OAuth you saidOAuth.io
12.7K views16 slides
Securing APIs using OAuth 2.0 by
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
399 views22 slides
Csrf protector by
Csrf protectorCsrf protector
Csrf protectorMinhaz A V
1.4K views19 slides
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти... by
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
152 views61 slides

Similar to OAuth 2.0 & Security Considerations(11)

Owasp london training course 2010 - Matteo Meucci by Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo Meucci
Matteo Meucci7.7K views
OAuth you said by OAuth.io
OAuth you saidOAuth you said
OAuth you said
OAuth.io12.7K views
Securing APIs using OAuth 2.0 by Adam Lewis
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
Adam Lewis399 views
Csrf protector by Minhaz A V
Csrf protectorCsrf protector
Csrf protector
Minhaz A V1.4K views
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти... by Dakiry
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry152 views
AuthN & AuthZ testing: it’s not only about the login form by Diana Pinchuk
AuthN & AuthZ testing:  it’s not only about the login formAuthN & AuthZ testing:  it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk50 views
OAuth2 & OpenID Connect with Spring Security by Shuto Uwai
OAuth2 & OpenID Connect with Spring SecurityOAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring Security
Shuto Uwai213 views
4 owasp egypt_12_4_2014_ebrahim_hegazy by sunil kumar
4 owasp egypt_12_4_2014_ebrahim_hegazy4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy
sunil kumar529 views
Barcamp 2008 O Auth by Ben Cheng
Barcamp 2008 O AuthBarcamp 2008 O Auth
Barcamp 2008 O Auth
Ben Cheng463 views

Recently uploaded

Proposal Presentation.pptx by
Proposal Presentation.pptxProposal Presentation.pptx
Proposal Presentation.pptxkeytonallamon
76 views36 slides
CPM Schedule Float.pptx by
CPM Schedule Float.pptxCPM Schedule Float.pptx
CPM Schedule Float.pptxMathew Joseph
6 views5 slides
Ansari: Practical experiences with an LLM-based Islamic Assistant by
Ansari: Practical experiences with an LLM-based Islamic AssistantAnsari: Practical experiences with an LLM-based Islamic Assistant
Ansari: Practical experiences with an LLM-based Islamic AssistantM Waleed Kadous
11 views29 slides
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx by
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptxlwang78
188 views19 slides
Pitchbook Repowerlab.pdf by
Pitchbook Repowerlab.pdfPitchbook Repowerlab.pdf
Pitchbook Repowerlab.pdfVictoriaGaleano
8 views12 slides
Module-1, Chapter-2 Data Types, Variables, and Arrays by
Module-1, Chapter-2 Data Types, Variables, and ArraysModule-1, Chapter-2 Data Types, Variables, and Arrays
Module-1, Chapter-2 Data Types, Variables, and ArraysDemian Antony D'Mello
6 views44 slides

Recently uploaded(20)

Ansari: Practical experiences with an LLM-based Islamic Assistant by M Waleed Kadous
Ansari: Practical experiences with an LLM-based Islamic AssistantAnsari: Practical experiences with an LLM-based Islamic Assistant
Ansari: Practical experiences with an LLM-based Islamic Assistant
M Waleed Kadous11 views
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx by lwang78
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
lwang78188 views
GDSC Mikroskil Members Onboarding 2023.pdf by gdscmikroskil
GDSC Mikroskil Members Onboarding 2023.pdfGDSC Mikroskil Members Onboarding 2023.pdf
GDSC Mikroskil Members Onboarding 2023.pdf
gdscmikroskil68 views
Integrating Sustainable Development Goals (SDGs) in School Education by SheetalTank1
Integrating Sustainable Development Goals (SDGs) in School EducationIntegrating Sustainable Development Goals (SDGs) in School Education
Integrating Sustainable Development Goals (SDGs) in School Education
SheetalTank111 views
Web Dev Session 1.pptx by VedVekhande
Web Dev Session 1.pptxWeb Dev Session 1.pptx
Web Dev Session 1.pptx
VedVekhande20 views
REACTJS.pdf by ArthyR3
REACTJS.pdfREACTJS.pdf
REACTJS.pdf
ArthyR337 views
Design of machine elements-UNIT 3.pptx by gopinathcreddy
Design of machine elements-UNIT 3.pptxDesign of machine elements-UNIT 3.pptx
Design of machine elements-UNIT 3.pptx
gopinathcreddy38 views
Unlocking Research Visibility.pdf by KhatirNaima
Unlocking Research Visibility.pdfUnlocking Research Visibility.pdf
Unlocking Research Visibility.pdf
KhatirNaima11 views

OAuth 2.0 & Security Considerations