SlideShare una empresa de Scribd logo

Security for oauth 2.0 - @topavankumarj

P
Pavan Kumar J

The document provides an overview of OAuth 2.0 authorization framework and discusses common security issues. It begins with introducing the speaker and their background in security. The main topics covered include the history and core elements of OAuth, common grant types and flows, and vulnerabilities like insecure storage of secrets, CSRF attacks during authorization, scope permission issues, and account takeover risks. Best practices for clients and authorization servers to mitigate these threats are also outlined.

Presentaciones y charlas públicas
1 de 44
Pavan Kumar J Security For OAuth 2.0 : How To Handle Protected Data An Introduction to OAuth Framework and Security Countermeasures
Our Speaker today ● Security Lead at we45. ● Seasoned security professional with over 5 years experience leading Pen Testing projects. ● Written numerous automation scripts for automating host environment reconnaissance. ● Specializes in custom security automation solutions. ● Ardent researcher around a host of different subjects (Cloud Security, OAuth, SSO etc. )
Over the next 45 minutes... ● Comprehensive understanding of the OAuth 2.0 authorization framework. ● Threats/Attacks specific to OAuth 2.0 ● Practical demonstration of exploit vectors ● Outline of architectural best practices in OAuth 2.0
History of Authentication and Authorization Authentication Protocol Authorization Framework Built upon OAuth 2.0 (Identity, Authentication) + OAuth 2.0 = OpenID Connect
Erstwhile OAuth…. ● Storing of user credentials ● Complete Access to user’s accounts ● Insecure handling of user credentials. ● Users can't revoke access ● Compromised apps expose user's password
Presenting OAuth2.0 ● OAuth 2.0 stands for Open Authorization ● Protocol provides simple and secure authorization for different types of applications ● A way to provide user access without exchange of credentials ● One of the best method for consumers to interact with protected data
Core Elements of an OAuth Flow ● Resource Owner - User ● Client - Coolmart (an example app) ● Authorization Server - Facebook / Google etc ● Resource Server - Facebook/ Google etc
OAuth 2.0 : Abstract Flow 1. Application redirects to Auth server 4. Request Access token using Authorization code 6. Fetch protected data using Access Token 3. Application gets Authorization code 5. Application gets Access Token 7. Serves Protected data User Auth server Resource Server 2. User Authorize the Request
OAuth 2.0 Grant Types ● Authorization Code Grant ● Implicit Grant ● Password Grant ● Client Credentials
Authorization Code Grant 1. Application redirects to Auth server 4. Request Access token using Authorization code 6. Fetch protected data using Access Token 3. Application gets Authorization code 5. Application gets Access Token 7. Serves Protected data User Auth Server Resource Server 2. User Authorize the Request
Security Perspective : Auth Code Grant ● Two step protocol ● Authorization code is used to obtain access token and refresh token ● Support for refresh tokens ● Uses Cookies
Implicit Grant 1. Application redirects to Auth server 4. Fetch protected data using Access Token 3. Application gets Access token 5. Serves Protected data User Auth server Resource Server 2. User Authorize the Request
Security Perspective : Implicit Grant ● Can log into a site WITHOUT storage or knowledge of client_secret key ● Does not supports refresh tokens ● Access token are returned directly from authorization request. ● XSS Attacks
Resource Owner Password Grant 1. Application asks facebook credentials 5. Fetch protected data using Access Token 4. Application gets Access token 6. Serves Protected data User Auth server Resource Server 2. User provide credentials to the application 3. Application forward credentials
Security Perspective : Password Grant ● Suitable for In-House/own Organization applications ● Not suitable for external clients ● Clients will have user credentials ● Compromised apps expose user's password ● Insecurely handle the credentials
Client Credential Grant 5. Fetch protected data using Access Token 4. Application gets Access token 6. Serves Protected data Auth server Resource Server 1. Application sends Client credentials
Security Perspective : Client Credentials ● Suitable for machine-machine applications. ● No support for refresh token ● No authorization grant ● Chances of exposing Client Credentials
Vulnerability Deep Dive
OAuth Security Issue : 1 AUTHORIZATION CODE IS NOT INVALIDATED
Authorization Codes not invalidated Attack Scenario: ● Authorization token must be revoked once it used. ● When user denies access for the application, with access token authorization codes must be revoke https://clients.amazonworkspaces.com/webclient?auth_code=11QXVVW9Fm8qj29VD55kbfawj_14OqAqrbVqs_tzaEtuor4NL_g-K8eS PW4QtCVRb_pKi7eELFJndQ0LBDaJrhgP2q65lJJQMhVRQg6sBwTu83Z6AKj9Vm7vCE4P2lnvrSLUba6ZAhVYo6QZ4I5O7WGajMslI98IcMy Bk-tZHreaIgGaE52XVXB4VPQPFoIRuSfh1OyYlgF0OIy0JpywU&registrationCode=SLiad+RN58HY&errorHandlerUrl=aHR0cHM6Ly9sb2d pbi5kYWFzLnVtdWMuZWR1LyMvV29ya3NwYWNlSWQ9d3MtMTl3Z3F4NnQxLw==#/main
Demo
Generating N number of access token using authorization code
Mitigation Strategy ● Do not accept used Authorization codes ● Client websites must never send authorization code in the referral header ● Ensure that pages containing sensitive information are only visible post authentication. . ○ Ensure that authenticated functionality is not cached using Cache Control ○ Consider implementing a robots.txt file to ensure that Search engines do not index and cache sensitive pages
OAuth Security Issue : 2 OAUTH SCOPE PERMISSIONS
OAuth Scope Permissions
Mitigation Strategy ● Developers must consider the scope of grant given to different client website types while setting up the authorization server. ● Client website MUST explain the scope of permissions it is asking of the user
OAuth Security Issue : 3 ACCOUNT TAKEOVER USING CSRF
Account Takeover using CSRF Attacker User 2. Sign-In with facebook1.Createsdummyacount 3 . Redirects to facebook 4.Getsauthorizationcode 5. Craft and Sends CSRF forged request 6 . Clicks on Forged request 7 . Attacker FB connected to victim coolmart account
Mitigation Strategy ● OAuth 2.0 provides security against such attacks through the state parameter. It acts like a CSRF token. ● Client websites must be sure to send a state parameter and handle requests ● Authorization servers must issue proper guidelines for generating and handling CSRF tokens.
OAuth Security Issue : 4 STEALING OAUTH TOKENS via REDIRECT_URL
Stealing OAuth Tokens ● The attacker owns his website, www.attacker.com. ● After grabbing the victim's authorization URI, the attacker replaces the "redirect_uri" param to "www.attacker.com". ● Then, After successful authentication, oauth-server redirects back to attacker URL, with the auth code. ● Using the code attacker can easily gets access token.
Demo
Stealing Authorization code by CSRF and Redirect_URI
Mitigation Strategy ● Ensure that redirect_URI is not tampered in anywhere ● Always validate authorization server against its registered value.
OAuth Security Issue : 5 INSECURE STORAGE OF SECRETS
Insecure Storage of Secrets ● Keys can be extracted from native and mobile apps. ● HTTPS requests can be intercepted from mobile apps
Mitigation Strategy Clients need to have a server that can be accessed by the application over https and you store the secret on it.
OAuth Security Issue : 6 CLICKJACKING ON AUTHORIZATION PAGE
Clickjacking during Authorization 'Authorize' button on the OAuth authorization page is vulnerable to clickjacking. image: www.bubblecode.net
Mitigation Strategy Configuring X-Frame-Options header • DENY - Cannot be displayed in a frame. • SAMEORIGIN - Only be displayed in a frame on the same origin • ALLOW-FROM - Only be displayed in a frame on the specified origins
Best Practices - Client Applications ● Use secure communication channels ● Do not authorization code more than once ● Implement CSRF protection for its redirection URI ● Implement appropriate countermeasures against open redirection
Best Practices - Auth/Resource Server ● Do not accept used Authorization codes ● Never whitelist entire domains ● Validate client redirect URIs against pre-registered URIs ● Implement CSRF protection for its authorization endpoint ● Authorization server should redirects back to the client with "state" parameter.
Questions?
pavan.kumar@we45.com @topavankumarj we45.com/blog OAuth2.0_Vunerable_App

Recomendados

OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 

Recomendados

OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdfRubersy Ramos García
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 

Más contenido relacionado

La actualidad más candente

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 

La actualidad más candente (20)

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 

Similar a Security for oauth 2.0 - @topavankumarj

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication OptionsJimmy Zimmerman
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseBahman Kalali
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Implementing open authentication_in_your_app
Implementing open authentication_in_your_appImplementing open authentication_in_your_app
Implementing open authentication_in_your_appNuhil Mehdy
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsSibtay Abbas
 

Similar a Security for oauth 2.0 - @topavankumarj (20)

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Full stack security
Full stack securityFull stack security
Full stack security
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
OpenID Connect
OpenID ConnectOpenID Connect
OpenID Connect
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication Options
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use case
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Implementing open authentication_in_your_app
Implementing open authentication_in_your_appImplementing open authentication_in_your_app
Implementing open authentication_in_your_app
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 Grants
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 

Último

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 

Último (20)

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 

Security for oauth 2.0 - @topavankumarj

  • 1. Pavan Kumar J Security For OAuth 2.0 : How To Handle Protected Data An Introduction to OAuth Framework and Security Countermeasures
  • 2. Our Speaker today ● Security Lead at we45. ● Seasoned security professional with over 5 years experience leading Pen Testing projects. ● Written numerous automation scripts for automating host environment reconnaissance. ● Specializes in custom security automation solutions. ● Ardent researcher around a host of different subjects (Cloud Security, OAuth, SSO etc. )
  • 3. Over the next 45 minutes... ● Comprehensive understanding of the OAuth 2.0 authorization framework. ● Threats/Attacks specific to OAuth 2.0 ● Practical demonstration of exploit vectors ● Outline of architectural best practices in OAuth 2.0
  • 4. History of Authentication and Authorization Authentication Protocol Authorization Framework Built upon OAuth 2.0 (Identity, Authentication) + OAuth 2.0 = OpenID Connect
  • 5. Erstwhile OAuth…. ● Storing of user credentials ● Complete Access to user’s accounts ● Insecure handling of user credentials. ● Users can't revoke access ● Compromised apps expose user's password
  • 6. Presenting OAuth2.0 ● OAuth 2.0 stands for Open Authorization ● Protocol provides simple and secure authorization for different types of applications ● A way to provide user access without exchange of credentials ● One of the best method for consumers to interact with protected data
  • 7. Core Elements of an OAuth Flow ● Resource Owner - User ● Client - Coolmart (an example app) ● Authorization Server - Facebook / Google etc ● Resource Server - Facebook/ Google etc
  • 8. OAuth 2.0 : Abstract Flow 1. Application redirects to Auth server 4. Request Access token using Authorization code 6. Fetch protected data using Access Token 3. Application gets Authorization code 5. Application gets Access Token 7. Serves Protected data User Auth server Resource Server 2. User Authorize the Request
  • 9. OAuth 2.0 Grant Types ● Authorization Code Grant ● Implicit Grant ● Password Grant ● Client Credentials
  • 10. Authorization Code Grant 1. Application redirects to Auth server 4. Request Access token using Authorization code 6. Fetch protected data using Access Token 3. Application gets Authorization code 5. Application gets Access Token 7. Serves Protected data User Auth Server Resource Server 2. User Authorize the Request
  • 11. Security Perspective : Auth Code Grant ● Two step protocol ● Authorization code is used to obtain access token and refresh token ● Support for refresh tokens ● Uses Cookies
  • 12. Implicit Grant 1. Application redirects to Auth server 4. Fetch protected data using Access Token 3. Application gets Access token 5. Serves Protected data User Auth server Resource Server 2. User Authorize the Request
  • 13. Security Perspective : Implicit Grant ● Can log into a site WITHOUT storage or knowledge of client_secret key ● Does not supports refresh tokens ● Access token are returned directly from authorization request. ● XSS Attacks
  • 14. Resource Owner Password Grant 1. Application asks facebook credentials 5. Fetch protected data using Access Token 4. Application gets Access token 6. Serves Protected data User Auth server Resource Server 2. User provide credentials to the application 3. Application forward credentials
  • 15. Security Perspective : Password Grant ● Suitable for In-House/own Organization applications ● Not suitable for external clients ● Clients will have user credentials ● Compromised apps expose user's password ● Insecurely handle the credentials
  • 16. Client Credential Grant 5. Fetch protected data using Access Token 4. Application gets Access token 6. Serves Protected data Auth server Resource Server 1. Application sends Client credentials
  • 17. Security Perspective : Client Credentials ● Suitable for machine-machine applications. ● No support for refresh token ● No authorization grant ● Chances of exposing Client Credentials
  • 19. OAuth Security Issue : 1 AUTHORIZATION CODE IS NOT INVALIDATED
  • 20. Authorization Codes not invalidated Attack Scenario: ● Authorization token must be revoked once it used. ● When user denies access for the application, with access token authorization codes must be revoke https://clients.amazonworkspaces.com/webclient?auth_code=11QXVVW9Fm8qj29VD55kbfawj_14OqAqrbVqs_tzaEtuor4NL_g-K8eS PW4QtCVRb_pKi7eELFJndQ0LBDaJrhgP2q65lJJQMhVRQg6sBwTu83Z6AKj9Vm7vCE4P2lnvrSLUba6ZAhVYo6QZ4I5O7WGajMslI98IcMy Bk-tZHreaIgGaE52XVXB4VPQPFoIRuSfh1OyYlgF0OIy0JpywU&registrationCode=SLiad+RN58HY&errorHandlerUrl=aHR0cHM6Ly9sb2d pbi5kYWFzLnVtdWMuZWR1LyMvV29ya3NwYWNlSWQ9d3MtMTl3Z3F4NnQxLw==#/main
  • 21. Demo
  • 22. Generating N number of access token using authorization code
  • 23. Mitigation Strategy ● Do not accept used Authorization codes ● Client websites must never send authorization code in the referral header ● Ensure that pages containing sensitive information are only visible post authentication. . ○ Ensure that authenticated functionality is not cached using Cache Control ○ Consider implementing a robots.txt file to ensure that Search engines do not index and cache sensitive pages
  • 24. OAuth Security Issue : 2 OAUTH SCOPE PERMISSIONS
  • 26. Mitigation Strategy ● Developers must consider the scope of grant given to different client website types while setting up the authorization server. ● Client website MUST explain the scope of permissions it is asking of the user
  • 27. OAuth Security Issue : 3 ACCOUNT TAKEOVER USING CSRF
  • 28. Account Takeover using CSRF Attacker User 2. Sign-In with facebook1.Createsdummyacount 3 . Redirects to facebook 4.Getsauthorizationcode 5. Craft and Sends CSRF forged request 6 . Clicks on Forged request 7 . Attacker FB connected to victim coolmart account
  • 29. Mitigation Strategy ● OAuth 2.0 provides security against such attacks through the state parameter. It acts like a CSRF token. ● Client websites must be sure to send a state parameter and handle requests ● Authorization servers must issue proper guidelines for generating and handling CSRF tokens.
  • 30. OAuth Security Issue : 4 STEALING OAUTH TOKENS via REDIRECT_URL
  • 31. Stealing OAuth Tokens ● The attacker owns his website, www.attacker.com. ● After grabbing the victim's authorization URI, the attacker replaces the "redirect_uri" param to "www.attacker.com". ● Then, After successful authentication, oauth-server redirects back to attacker URL, with the auth code. ● Using the code attacker can easily gets access token.
  • 32. Demo
  • 33. Stealing Authorization code by CSRF and Redirect_URI
  • 34. Mitigation Strategy ● Ensure that redirect_URI is not tampered in anywhere ● Always validate authorization server against its registered value.
  • 35. OAuth Security Issue : 5 INSECURE STORAGE OF SECRETS
  • 36. Insecure Storage of Secrets ● Keys can be extracted from native and mobile apps. ● HTTPS requests can be intercepted from mobile apps
  • 37. Mitigation Strategy Clients need to have a server that can be accessed by the application over https and you store the secret on it.
  • 38. OAuth Security Issue : 6 CLICKJACKING ON AUTHORIZATION PAGE
  • 39. Clickjacking during Authorization 'Authorize' button on the OAuth authorization page is vulnerable to clickjacking. image: www.bubblecode.net
  • 40. Mitigation Strategy Configuring X-Frame-Options header • DENY - Cannot be displayed in a frame. • SAMEORIGIN - Only be displayed in a frame on the same origin • ALLOW-FROM - Only be displayed in a frame on the specified origins
  • 41. Best Practices - Client Applications ● Use secure communication channels ● Do not authorization code more than once ● Implement CSRF protection for its redirection URI ● Implement appropriate countermeasures against open redirection
  • 42. Best Practices - Auth/Resource Server ● Do not accept used Authorization codes ● Never whitelist entire domains ● Validate client redirect URIs against pre-registered URIs ● Implement CSRF protection for its authorization endpoint ● Authorization server should redirects back to the client with "state" parameter.