Slides from a talk I gave at IBWAS'10 in Lisbon, Portugal.
Abstract:
Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.
This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them.
While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.
Exploring the Future Potential of AI-Enabled Smartphone Processors
Is OAuth Really Secure?
1. IBWAS’10
Bruno Pedro
17 November 2010
Is OAuth
Really
Secure?
http://www.flickr.com/photos/rooreynolds/2396418896/
2. Bruno Pedro
A n e x p e r i e n c e d We b d e v e l o p e r a n d
entrepreneur. Co-founder of tarpipe.com, a
social media publishing platform.
http://tarpipe.com/user/bpedro
3. Summary
• What is OAuth?
• Possible OWASP Top 10 threats
• Possible solutions
• Questions
9. A1 - Injection
ask for token
mer provider ve
rif
yt
receive token ok
en
database
potential injection
10. A3 - Broken authentication
consumer API call provider
access token
access secret
• Weak or open access token and secret
• Possible user impersonation
11. A5 - CSRF
http://tinyurl.com/38o3r93
• End point might be open to CSRF
• Possible user impersonation
Authorization - used most of the time\nAuthentication - 2 legged OAuth, “sign in with twitter”, no to be confused with OpenID\nBuilt as an Open Protocol on top of already existing solutions (Amazon,Yahoo)\n
Authorization - used most of the time\nAuthentication - 2 legged OAuth, “sign in with twitter”, no to be confused with OpenID\nBuilt as an Open Protocol on top of already existing solutions (Amazon,Yahoo)\n
\n
\n
Possible solution: verify tokens prior to database\n
Possible solutions: crypto, throttle\n
Possible solution: any CSRF solution\n
\n
Solution: crypto and more\n
Possible solution: fix callback to same domain or even same page\n