oauth 2.0 & security considerations

14
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OAuth 2.0 & Security Considerations Vaibhav Gupta Twitter: @VaibhavGupta_1 Blog: exploits.work Delhi Chapter Meet – 30 July 2016

Upload: vaibhav-gupta

Post on 16-Apr-2017

442 views

Category:

Engineering


3 download

TRANSCRIPT

Page 1: OAuth 2.0 & Security Considerations

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OAuth 2.0 & Security Considerations

Vaibhav GuptaTwitter: @VaibhavGupta_1

Blog: exploits.workDelhi Chapter Meet – 30 July 2016

Page 2: OAuth 2.0 & Security Considerations

OWASP 2

Agenda

Agenda (recursion! #GeekHumour :-P)

Problem Statement: Why OAuth?

What is OAuth? Typical OAuth Dance Lets talk security!

Page 3: OAuth 2.0 & Security Considerations

OWASP

Disclaimer!

OAuth has a lot of stuff to cover and given the time constraints, I will stick to the

important ones

3

Page 4: OAuth 2.0 & Security Considerations

OWASP

Problem Statement: Why OAuth?

Password sharing anti-pattern

4

Resource owner (You!)

Client (Photo Printing Service)

Protected Resource(facebook.com)

Aim: To give client access to theprotected resource on behalf

of resource owner

Page 5: OAuth 2.0 & Security Considerations

OWASP

What is OAuth

Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token”

5

Page 6: OAuth 2.0 & Security Considerations

OWASP 6

So you think I am understanding it !!

Page 7: OAuth 2.0 & Security Considerations

OWASP

Typical OAuth 2.0 Dance Party!

Here are the invitees: Resource owner

Protected resource

Client

Authorization server

7

Page 8: OAuth 2.0 & Security Considerations

OWASP 8

Image: OAuth 2 in action

Page 9: OAuth 2.0 & Security Considerations

OWASP 9

Page 10: OAuth 2.0 & Security Considerations

OWASP 10

Image: OAuth 2 in action

Page 11: OAuth 2.0 & Security Considerations

OWASP

Let’s Talk Security!

CSRF – “state” parameter [Client Vuln]<img src=“

https://photoprinting.local/callback?code=Attacker_Auth_Code”>

11

Image: OAuth 2 in action

Page 12: OAuth 2.0 & Security Considerations

OWASP

“redirect_uri” mismatch [Auth Server Vuln.]

How about stealing auth code from referrer header?

A lot others!! Time constraint

12

Page 13: OAuth 2.0 & Security Considerations

OWASP

References

OAuth 2.0 Specshttp://tools.ietf.org/html/rfc6749

OAuth 2.0 – Threat modelhttps://tools.ietf.org/html/rfc6819

Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso

13

Page 14: OAuth 2.0 & Security Considerations

OWASP 14

Questions?