OAuth 2.0 & Security Considerations
Report
Vaibhav GuptaFollow
Security Researcher at AdobeAug. 3, 2016•0 likes•2,110 views
OAuth 2.0 & Security Considerations
Aug. 3, 2016•0 likes•2,110 views
Download to read offline
Report
Engineering
I gave this talk at OWASP/Null Delhi chapter meet. The session was around the OAuth 2.0 workflow and few security considerations that developers or security analyst needs to take care. Meet details: https://null.co.in/events/210-delhi-null-delhi-meet-30-july-2016-null-owasp-combined-meet
Vaibhav GuptaFollow
Security Researcher at AdobeRecommended
Security Automation using ZAPVaibhav Gupta
Application Security Risk RatingVaibhav Gupta
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
OAuth for your API - The Big PictureApigee | Google Cloud
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
More Related Content
Similar to OAuth 2.0 & Security Considerations
A How-to Guide to OAuth & API SecurityCA API Management
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
OAuth you saidOAuth.io
Securing APIs using OAuth 2.0Adam Lewis
Csrf protectorMinhaz A V
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
Recently uploaded
Reda Khafaga -1.pdfredakhafaga1
EN8591 Municipal Solid waste management Unit 1 - Two mark Q&A.pptxSubha Gnanaraj
Green Building Materials.pptxKanchana785144
Traditional Concrete Compositions to Cutting Edge Solutions..pptxSARANYA KANDASAMY
Better Builder Magazine, Issue 46 / Summer 2023Better Builder Magazine
Summer Intern SpecialTaylorDuffy11
OAuth 2.0 & Security Considerations
- Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OAuth 2.0 & Security Considerations Vaibhav Gupta Twitter: @VaibhavGupta_1 Blog: exploits.workDelhi Chapter Meet – 30 July 2016
- OWASP 2 Agenda Agenda (recursion! #GeekHumour :-P) Problem Statement: Why OAuth? What is OAuth? Typical OAuth Dance Lets talk security!
- OWASP Disclaimer! OAuth has a lot of stuff to cover and given the time constraints, I will stick to the important ones 3
- OWASP Problem Statement: Why OAuth? Password sharing anti-pattern 4 Resource owner (You!) Client (Photo Printing Service) Protected Resource (facebook.com) Aim: To give client access to the protected resource on behalf of resource owner
- OWASP What is OAuth Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token” 5
- OWASP 6 So you think I am understanding it !!
- OWASP Typical OAuth 2.0 Dance Party! Here are the invitees: Resource owner Protected resource Client Authorization server 7
- OWASP 8 Image: OAuth 2 in action
- OWASP 9
- OWASP 10 Image: OAuth 2 in action
- OWASP Let’s Talk Security! CSRF – “state” parameter [Client Vuln] <img src=“ https://photoprinting.local/callback?code=Attacker_Auth_Code ”> 11 Image: OAuth 2 in action
- OWASP “redirect_uri” mismatch [Auth Server Vuln.] How about stealing auth code from referrer header? A lot others!! Time constraint 12
- OWASP References OAuth 2.0 Specs http://tools.ietf.org/html/rfc6749 OAuth 2.0 – Threat model https://tools.ietf.org/html/rfc6819 Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso 13
- OWASP 14 Questions?