OAuth 2.0 & Security Considerations

1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OAuth 2.0 & Security Considerations Vaibhav Gupta Twitter: @VaibhavGupta_1 Blog: exploits.workDelhi Chapter Meet – 30 July 2016

2. OWASP 2 Agenda Agenda (recursion! #GeekHumour :-P) Problem Statement: Why OAuth? What is OAuth? Typical OAuth Dance Lets talk security!

3. OWASP Disclaimer! OAuth has a lot of stuff to cover and given the time constraints, I will stick to the important ones  3

4. OWASP Problem Statement: Why OAuth? Password sharing anti-pattern 4 Resource owner (You!) Client (Photo Printing Service) Protected Resource (facebook.com) Aim: To give client access to the protected resource on behalf of resource owner

5. OWASP What is OAuth Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token” 5

6. OWASP 6 So you think I am understanding it !!

7. OWASP Typical OAuth 2.0 Dance Party! Here are the invitees: Resource owner Protected resource Client Authorization server 7

8. OWASP 8 Image: OAuth 2 in action

9. OWASP 9

10. OWASP 10 Image: OAuth 2 in action

11. OWASP Let’s Talk Security! CSRF – “state” parameter [Client Vuln] <img src=“ https://photoprinting.local/callback?code=Attacker_Auth_Code ”> 11 Image: OAuth 2 in action

12. OWASP “redirect_uri” mismatch [Auth Server Vuln.] How about stealing auth code from referrer header? A lot others!! Time constraint  12

13. OWASP References OAuth 2.0 Specs http://tools.ietf.org/html/rfc6749 OAuth 2.0 – Threat model https://tools.ietf.org/html/rfc6819 Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso 13

14. OWASP 14 Questions?

Esté a ler uma amostra.

OAuth 2.0 & Security Considerations

Livros relacionados

Gratuito durante 30 dias do Scribd

Audiolivros relacionados

Gratuito durante 30 dias do Scribd