SlideShare a Scribd company logo
1 of 20
Oauth
n|u - The Open security community
Chennai Meet
Presenter : Vinoth Kumar
Date : 22/07/2017
# About Me
Application security engineer.
Blogger @ http://www.tutorgeeks.net
Email @ vinothpkumar333@gmail.com
Tweet @vinothpkumar
Agenda for the session
● What is Oauth 2.0
● Why Oauth is required
● Oauth 2.0 Terminologies
● Oauth workflow
○ Sequence flow
○ Workflow request
● Exploiting Oauth for fun and profit
● Reference
What is Oauth 2.0
● Oauth2.0 is an “authorization” framework for web applications. It permits
selective access to a user’s resource without disclosing the password to the
website which asks for the resource.
● OAuth works over HTTP and authorizes applications with access tokens
rather than credentials
● Oauth is not SSO. SSO is an authentication / authorization flow through which
a user can log into multiple services using the same credentials whereas
OAuth is an authorization protocol that allows a user to selectively decide
which services can do what with a user’s data.
Why Oauth is required
● In classic authentication model, the user’s account credentials are generally
shared with the third party website which results in several problems.
○ Third party website may insecurely handle the credentials.
○ Compromise of one 3rd party service eventually compromises all 3rd party services since
same credentials are being used across all services.
○ Changing account password will eventually stop access to all 3rd party services.
Oauth 2.0 Terminologies
● Roles
○ Resource owner
○ Resource server
○ Client
○ Authorization server
● Workflow parameters
○ Application registration
○ Redirect URI
○ Access token
○ Client ID
○ Client secret
Oauth workflow
● The user requests the client to start the authorization process through the user-agent by
issuing a GET request. This happens when the user clicks on ‘Connect’/’Sign in with’ button
on the client’s website.
● The client redirects the user-agent to the authorization server using the following query
parameters:
○ response_type: code
○ client_id: The id issued to the client.
○ redirect_uri(optional): The URI where the authorization server will redirect the
response to.
○ scope(optional): The scope to be requested.
○ state(recommended): An opaque value to maintain state between the request and
callback.
Oauth workflow ( Cont )
● After the user authenticates and grants authorization for requested resources, the
authorization server redirects the user-agent to the redirect_uri with the following query
parameters:
○ code: The authorization code.
○ state: The value passed in the above request.
● The client further uses the authorization code to request for an access token(with appropriate
client authentication) using the following parameters in the request body:
○ grant_type: authorization_code
○ code: The authorization code received earlier.
○ redirect_uri: The redirect_uri passed in the first request.
Oauth sequence flow
Workflow request
● https://www.facebook.com/oauth/authorize?response_type=code@client_id=******&redirect_uri=http
s://example.com/callback/redirect&scope=read
● https://example.com/redirect?code=90jo42hasdoasdh
● https://facebook.com/oauth/token?client_id=*******&client_secret=*******&grant_type=authorization_
code&code=90jo42hasdoasdh&redirect_uri=https://example.com/token
Access token = Auth code + Client ID + Client secret + Redirect URI
{ “access_token” : aknasda809asdak }
https://facebook.com/comments?access_token=aknasda809asdak
Refresh token: A Refresh Token is a special kind of token that can be used to obtain a renewed
access token that allows accessing a protected resource at any time
Exploiting Oauth for fun and profit
● Clickjacking
● Covert redirect
● Directory traversal tricks
● Domain tricks
● Missing “State” parameter
● Fiddling with the “scope” parameter
● Authorization code not invalidated during access revocation
Clickjacking
Have secure implementations for preventing Clickjacking in Oauth dialog prompt.
● https://stephensclafani.com/2009/05/04/clickjacking-oauth/
● Clickjacking in Coinbase Oauth is worth 5000USD : https://hackerone.com/reports/65825
Covert redirect
If the domain is not verified, we could tamper the “redirect_uri” parameter and
steal the “code”. Try to find an Open URL Redirection vulnerability in the target.
https://www.facebook.com/oauth/authorize?response_type=code@client_id=******&redirect_uri=https://ex
ample.com/hello&scope=read
https://www.facebook.com/oauth/authorize?response_type=code@client_id=******&redirect_uri=https://ex
ample.com/hello/anything.php&u=attacker.com&scope=read
Open redirection vulnerability : https://example.com/hello/anything.php&u=attacker.com
Directory traversal tricks
It assumes that we can save certain files of our choice under the allowed domain. Possible in web
applications which allow uploading of files
https://example.com/token/callback/../../../our/path
/our/path/../../http://example.com/token/callback
Try different encoding techniques to fool the authorization server.
Domain tricks
If the allowed redirect_uri is https://example.com/token/callback, then we can use the following tricks to
bypass the restriction
● Naked domain
https://subdomain.example.com/token/callback
You are lucky, if you find a subdomain takeover vulnerability :)
● TLD Suffix confusion
Replace the suffix with .com.mx, .com.br.
Slack OAuth2 "redirect_uri" Bypass - https://hackerone.com/reports/2575
Missing “state” parameter
During authentication, the application sends this parameter in the authorization request, and the
Authorization Server will return this parameter unchanged in the response.
State parameter is used to prevent CSRF attacks.
State parameter missing in Slack :https://hackerone.com/reports/111218
https://pinterest-
commerce.shopifyapps.com/auth/pinterest/callback?code=fe373552c348b50000b4951184e86224ddde63
c4
Reference: https://auth0.com/docs/protocols/oauth2/oauth-state
Fiddling with the scope parameter
Try providing different values for “scope” and observe the response.
Phabricator hack : https://hackerone.com/reports/3930
In the case of Phabricator, providing a different scope in phabricator OAuth Dialog, automatically
redirected to the attacker site.
https://secure.phabricator.com/oauthserver/auth/?redirect_uri=http://files.nirgoldshlager.com&response_ty
pe=code&client_id=PHID-OASC-oyfqtnanxsukiw5lsnce&scope=ggg)
Authorization code not invalidated
When some user denies access for the application, all “Access tokens” should be revoked and become
invalid. But not only Access tokens should be revoked, authorization “Codes” must be revoked too.
Vimeo Oauth hack : https://hackerone.com/reports/57603
● Connect the app “attacker” to vimeo.com by approving the Oauth flow. You would’ve obtained
“Code” which you exchanged with Vimeo to obtain “Access token”
● Now go to Vimeo account settings page and revoke the access.
● You can still re-generate the “Access token” using the “Code” obtained in step 1 and have continued
access to Vimeo.
● User will have no control to revoke the access now :(
Reference
● Mastering modern web penetration testing - Prakhar Prasad
● https://auth0.com/
● Hackerone public disclosures
● Wikipedia
Thank You

More Related Content

What's hot

An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Jonathan LeBlanc
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 

What's hot (20)

An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 

Similar to Oauth 2.0 security

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 

Similar to Oauth 2.0 security (20)

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Full stack security
Full stack securityFull stack security
Full stack security
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 

More from vinoth kumar

G suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, ChennaiG suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, Chennaivinoth kumar
 
Github security bug bounty hunting
Github security   bug bounty huntingGithub security   bug bounty hunting
Github security bug bounty huntingvinoth kumar
 
Securing your vpc in aws
Securing your vpc in awsSecuring your vpc in aws
Securing your vpc in awsvinoth kumar
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bountyvinoth kumar
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennaivinoth kumar
 
Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP vinoth kumar
 

More from vinoth kumar (6)

G suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, ChennaiG suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, Chennai
 
Github security bug bounty hunting
Github security   bug bounty huntingGithub security   bug bounty hunting
Github security bug bounty hunting
 
Securing your vpc in aws
Securing your vpc in awsSecuring your vpc in aws
Securing your vpc in aws
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bounty
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennai
 
Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP
 

Recently uploaded

4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsPooky Knightsmith
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Scientific Writing :Research Discourse
Scientific  Writing :Research  DiscourseScientific  Writing :Research  Discourse
Scientific Writing :Research DiscourseAnita GoswamiGiri
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 

Recently uploaded (20)

4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young minds
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Scientific Writing :Research Discourse
Scientific  Writing :Research  DiscourseScientific  Writing :Research  Discourse
Scientific Writing :Research Discourse
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 

Oauth 2.0 security

  • 1. Oauth n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 22/07/2017
  • 2. # About Me Application security engineer. Blogger @ http://www.tutorgeeks.net Email @ vinothpkumar333@gmail.com Tweet @vinothpkumar
  • 3. Agenda for the session ● What is Oauth 2.0 ● Why Oauth is required ● Oauth 2.0 Terminologies ● Oauth workflow ○ Sequence flow ○ Workflow request ● Exploiting Oauth for fun and profit ● Reference
  • 4. What is Oauth 2.0 ● Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource. ● OAuth works over HTTP and authorizes applications with access tokens rather than credentials ● Oauth is not SSO. SSO is an authentication / authorization flow through which a user can log into multiple services using the same credentials whereas OAuth is an authorization protocol that allows a user to selectively decide which services can do what with a user’s data.
  • 5. Why Oauth is required ● In classic authentication model, the user’s account credentials are generally shared with the third party website which results in several problems. ○ Third party website may insecurely handle the credentials. ○ Compromise of one 3rd party service eventually compromises all 3rd party services since same credentials are being used across all services. ○ Changing account password will eventually stop access to all 3rd party services.
  • 6. Oauth 2.0 Terminologies ● Roles ○ Resource owner ○ Resource server ○ Client ○ Authorization server ● Workflow parameters ○ Application registration ○ Redirect URI ○ Access token ○ Client ID ○ Client secret
  • 7. Oauth workflow ● The user requests the client to start the authorization process through the user-agent by issuing a GET request. This happens when the user clicks on ‘Connect’/’Sign in with’ button on the client’s website. ● The client redirects the user-agent to the authorization server using the following query parameters: ○ response_type: code ○ client_id: The id issued to the client. ○ redirect_uri(optional): The URI where the authorization server will redirect the response to. ○ scope(optional): The scope to be requested. ○ state(recommended): An opaque value to maintain state between the request and callback.
  • 8. Oauth workflow ( Cont ) ● After the user authenticates and grants authorization for requested resources, the authorization server redirects the user-agent to the redirect_uri with the following query parameters: ○ code: The authorization code. ○ state: The value passed in the above request. ● The client further uses the authorization code to request for an access token(with appropriate client authentication) using the following parameters in the request body: ○ grant_type: authorization_code ○ code: The authorization code received earlier. ○ redirect_uri: The redirect_uri passed in the first request.
  • 10. Workflow request ● https://www.facebook.com/oauth/authorize?response_type=code@client_id=******&redirect_uri=http s://example.com/callback/redirect&scope=read ● https://example.com/redirect?code=90jo42hasdoasdh ● https://facebook.com/oauth/token?client_id=*******&client_secret=*******&grant_type=authorization_ code&code=90jo42hasdoasdh&redirect_uri=https://example.com/token Access token = Auth code + Client ID + Client secret + Redirect URI { “access_token” : aknasda809asdak } https://facebook.com/comments?access_token=aknasda809asdak Refresh token: A Refresh Token is a special kind of token that can be used to obtain a renewed access token that allows accessing a protected resource at any time
  • 11. Exploiting Oauth for fun and profit ● Clickjacking ● Covert redirect ● Directory traversal tricks ● Domain tricks ● Missing “State” parameter ● Fiddling with the “scope” parameter ● Authorization code not invalidated during access revocation
  • 12. Clickjacking Have secure implementations for preventing Clickjacking in Oauth dialog prompt. ● https://stephensclafani.com/2009/05/04/clickjacking-oauth/ ● Clickjacking in Coinbase Oauth is worth 5000USD : https://hackerone.com/reports/65825
  • 13. Covert redirect If the domain is not verified, we could tamper the “redirect_uri” parameter and steal the “code”. Try to find an Open URL Redirection vulnerability in the target. https://www.facebook.com/oauth/authorize?response_type=code@client_id=******&redirect_uri=https://ex ample.com/hello&scope=read https://www.facebook.com/oauth/authorize?response_type=code@client_id=******&redirect_uri=https://ex ample.com/hello/anything.php&u=attacker.com&scope=read Open redirection vulnerability : https://example.com/hello/anything.php&u=attacker.com
  • 14. Directory traversal tricks It assumes that we can save certain files of our choice under the allowed domain. Possible in web applications which allow uploading of files https://example.com/token/callback/../../../our/path /our/path/../../http://example.com/token/callback Try different encoding techniques to fool the authorization server.
  • 15. Domain tricks If the allowed redirect_uri is https://example.com/token/callback, then we can use the following tricks to bypass the restriction ● Naked domain https://subdomain.example.com/token/callback You are lucky, if you find a subdomain takeover vulnerability :) ● TLD Suffix confusion Replace the suffix with .com.mx, .com.br. Slack OAuth2 "redirect_uri" Bypass - https://hackerone.com/reports/2575
  • 16. Missing “state” parameter During authentication, the application sends this parameter in the authorization request, and the Authorization Server will return this parameter unchanged in the response. State parameter is used to prevent CSRF attacks. State parameter missing in Slack :https://hackerone.com/reports/111218 https://pinterest- commerce.shopifyapps.com/auth/pinterest/callback?code=fe373552c348b50000b4951184e86224ddde63 c4 Reference: https://auth0.com/docs/protocols/oauth2/oauth-state
  • 17. Fiddling with the scope parameter Try providing different values for “scope” and observe the response. Phabricator hack : https://hackerone.com/reports/3930 In the case of Phabricator, providing a different scope in phabricator OAuth Dialog, automatically redirected to the attacker site. https://secure.phabricator.com/oauthserver/auth/?redirect_uri=http://files.nirgoldshlager.com&response_ty pe=code&client_id=PHID-OASC-oyfqtnanxsukiw5lsnce&scope=ggg)
  • 18. Authorization code not invalidated When some user denies access for the application, all “Access tokens” should be revoked and become invalid. But not only Access tokens should be revoked, authorization “Codes” must be revoked too. Vimeo Oauth hack : https://hackerone.com/reports/57603 ● Connect the app “attacker” to vimeo.com by approving the Oauth flow. You would’ve obtained “Code” which you exchanged with Vimeo to obtain “Access token” ● Now go to Vimeo account settings page and revoke the access. ● You can still re-generate the “Access token” using the “Code” obtained in step 1 and have continued access to Vimeo. ● User will have no control to revoke the access now :(
  • 19. Reference ● Mastering modern web penetration testing - Prakhar Prasad ● https://auth0.com/ ● Hackerone public disclosures ● Wikipedia