Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth 2.0 & Security Considerations

1,357 views

Published on

I gave this talk at OWASP/Null Delhi chapter meet. The session was around the OAuth 2.0 workflow and few security considerations that developers or security analyst needs to take care.

Meet details: https://null.co.in/events/210-delhi-null-delhi-meet-30-july-2016-null-owasp-combined-meet

Published in: Engineering
  • Be the first to comment

OAuth 2.0 & Security Considerations

  1. 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OAuth 2.0 & Security Considerations Vaibhav Gupta Twitter: @VaibhavGupta_1 Blog: exploits.workDelhi Chapter Meet – 30 July 2016
  2. 2. OWASP 2 Agenda Agenda (recursion! #GeekHumour :-P) Problem Statement: Why OAuth? What is OAuth? Typical OAuth Dance Lets talk security!
  3. 3. OWASP Disclaimer! OAuth has a lot of stuff to cover and given the time constraints, I will stick to the important ones  3
  4. 4. OWASP Problem Statement: Why OAuth? Password sharing anti-pattern 4 Resource owner (You!) Client (Photo Printing Service) Protected Resource (facebook.com) Aim: To give client access to the protected resource on behalf of resource owner
  5. 5. OWASP What is OAuth Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token” 5
  6. 6. OWASP 6 So you think I am understanding it !!
  7. 7. OWASP Typical OAuth 2.0 Dance Party! Here are the invitees: Resource owner Protected resource Client Authorization server 7
  8. 8. OWASP 8 Image: OAuth 2 in action
  9. 9. OWASP 9
  10. 10. OWASP 10 Image: OAuth 2 in action
  11. 11. OWASP Let’s Talk Security! CSRF – “state” parameter [Client Vuln] <img src=“ https://photoprinting.local/callback?code=Attacker_Auth_Code ”> 11 Image: OAuth 2 in action
  12. 12. OWASP “redirect_uri” mismatch [Auth Server Vuln.] How about stealing auth code from referrer header? A lot others!! Time constraint  12
  13. 13. OWASP References OAuth 2.0 Specs http://tools.ietf.org/html/rfc6749 OAuth 2.0 – Threat model https://tools.ietf.org/html/rfc6819 Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso 13
  14. 14. OWASP 14 Questions?

×