O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Próximos SlideShares
Security Automation using ZAP
Security Automation using ZAP
Carregando em…3
1 de 14

OAuth 2.0 & Security Considerations



Baixar para ler offline

I gave this talk at OWASP/Null Delhi chapter meet. The session was around the OAuth 2.0 workflow and few security considerations that developers or security analyst needs to take care.

Meet details: https://null.co.in/events/210-delhi-null-delhi-meet-30-july-2016-null-owasp-combined-meet

OAuth 2.0 & Security Considerations

  1. 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OAuth 2.0 & Security Considerations Vaibhav Gupta Twitter: @VaibhavGupta_1 Blog: exploits.workDelhi Chapter Meet – 30 July 2016
  2. 2. OWASP 2 Agenda Agenda (recursion! #GeekHumour :-P) Problem Statement: Why OAuth? What is OAuth? Typical OAuth Dance Lets talk security!
  3. 3. OWASP Disclaimer! OAuth has a lot of stuff to cover and given the time constraints, I will stick to the important ones  3
  4. 4. OWASP Problem Statement: Why OAuth? Password sharing anti-pattern 4 Resource owner (You!) Client (Photo Printing Service) Protected Resource (facebook.com) Aim: To give client access to the protected resource on behalf of resource owner
  5. 5. OWASP What is OAuth Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token” 5
  6. 6. OWASP 6 So you think I am understanding it !!
  7. 7. OWASP Typical OAuth 2.0 Dance Party! Here are the invitees: Resource owner Protected resource Client Authorization server 7
  8. 8. OWASP 8 Image: OAuth 2 in action
  9. 9. OWASP 9
  10. 10. OWASP 10 Image: OAuth 2 in action
  11. 11. OWASP Let’s Talk Security! CSRF – “state” parameter [Client Vuln] <img src=“ https://photoprinting.local/callback?code=Attacker_Auth_Code ”> 11 Image: OAuth 2 in action
  12. 12. OWASP “redirect_uri” mismatch [Auth Server Vuln.] How about stealing auth code from referrer header? A lot others!! Time constraint  12
  13. 13. OWASP References OAuth 2.0 Specs http://tools.ietf.org/html/rfc6749 OAuth 2.0 – Threat model https://tools.ietf.org/html/rfc6819 Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso 13
  14. 14. OWASP 14 Questions?