OAuth 2.0 is at the heart of OpenID Connect, Mobile Connect, UMA and many other popular standards. Understanding the threat landscapes in OAuth 2.0 is essential in building a secured identity infrastructure. This talk will guide you through multiple attacks that took place over last couple of years, their root causes and how to mitigate any future security exploits by following best practices.
Learning Objectives:
1: Learn OAuth 2.0 fundamentals.
2: Understand what can go wrong with OAuth 2.0 implementation.
3: Explore security best practices and guidelines.
(Source: RSA Conference USA 2018)
10. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Session InjecAon with CSRF (Threats)
10
11. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Session InjecAon with CSRF (VicAms)
11
Web / Mobile applicaAon users
12. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Session InjecAon with CSRF (MiAgaAon / Best
PracAces)
12
Short-lived authorizaAon code
Use state parameter
Proof-key-for-code-exchange (PKCE)
13. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (Threats)
13
A[acker may a[empt to eavesdrop
authorizaAon code/access token/
refresh token in transit.
AuthorizaAon Code Flow Open
Redirector
OAuth 2.0 naAve apps can get hold
of the authorizaAon code.
14. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (Threats)
14
A[acker may a[empt a brute force a[ack to crack the authorizaAon
code/access token.
A[acker may a[empt to steal the authorizaAon code/access token/
refresh token stored in the authorizaAon server.
IdP Mix-Up / Malicious Endpoint.
15. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (VicAms)
15
Web/Mobile applicaAon users
Web/Mobile applicaAon owners
16. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (MiAgaAon / Best PracAces)
16
Always on TLS (use TLS 1.2 or later)
Address all the TLS level vulnerabiliAes both at the client,
authorizaAon server and the resource server.
The token value should be >=128 bits long and constructed from a
cryptographically strong random or pseudo-random number
sequence.
17. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (MiAgaAon / Best PracAces)
17
Never store tokens in clear text - but the salted hash.
Short-lived tokens.
LinkedIn has an expiraAon of 30 seconds for its authorizaAon codes.
The token expiraAon Ame would depend on the following parameters.
Risk associated with token leakage
DuraAon of the underlying access grant
Time required for an a[acker to guess or produce a valid token
18. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (MiAgaAon / Best PracAces)
18
One-Ame authorizaAon code
One-Ame access token (implicit grant type)
Use PKCE (proof key for code exchange) to avoid authorizaAon code
intercepAon a[ack.
Have S256 as the code challenge method
Enforce standard SQL injecAon countermeasures
19. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (MiAgaAon / Best PracAces)
19
Avoid using the same client_id/client_secret for each instance of a
mobile app - rather use the Dynamic Client RegistraAon API to
generate a key pair per instance.
Most of the Ame the leakage of authorizaAon code becomes a threat when the
a[acker is in hold of the client id and client secret.
Restrict grant types by client.
Most of the authorizaAon servers do support all core grant types. If
unrestricted, leakage of client id/client secret gives the a[acker the
opportunity obtain an access token via client credenAals grant type.
20. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (MiAgaAon / Best PracAces)
20
Enable client authenAcaAon via a much secured manner.
JWT client asserAons
TLS mutual authenAcaAon
Have a key of size 2048 bits or larger if RSA algorithms are used for the client
authenAcaAon
Have a key of size 160 bits or larger if ellipAc curve algorithms are used for the
client authenAcaAon
21. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Leakage (MiAgaAon / Best PracAces)
21
White-list callback URLs (redirect_uri)
The absolute URL or a regEx pa[ern
IdP-Mixup
Use different callback URLs by IdP
h[ps://tools.iej.org/html/drak-iej-oauth-mix-up-miAgaAon-01
22. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Reuse/Misuse (Threats)
22
A malicious resource could reuse an
access token used to access itself by
a legiAmate client to access another
resource, impersonaAng the original
client
23. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Reuse/Misuse (Threats)
23
An evil web site gets an access token from a legiAmate user, can reuse
it at another web site (which trusts the same authorizaAon server)
with the implicit grant type
h[ps://target-app/callback?access_token=<access_token>
A legiAmate user misuses an access token (issued under implicit grant
type/SPA) to access a set of backend APIs in a way, exhausAng server
resources.
24. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Reuse/Misuse (VicAms)
24
Web/Mobile applicaAon users
Web/Mobile applicaAon owners
25. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Reuse/Misuse (MiAgaAons / Best
PracAces)
25
A malicious resource (an API / Microservice) could reuse an access
token used to access itself by a legiAmate client to access another
resource, impersonaAng the original client.
An evil web site gets an access token from a legiAmate user, can reuse
it at another web site (which trusts the same authorizaAon server)
with the implicit grant type
h[ps://target-app/callback?access_token=<access_token>
26. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Reuse/Misuse (MiAgaAons / Best
PracAces)
26
A legiAmate user misuses an access token (issued under implicit grant
type/SPA) to access a set of backend APIs in a way, exhausAng server
resources.
To avoid exhausAng resources at the server side, enforce thro[le
limits by user by applicaAon. In case an a[acker wants to misuse a
token - the worst he/she can do is to eats his/her own quota.
27. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Export (Threats)
27
An a[acker could export an access
token from its originaAng channel
and use somewhere else.
A common a[ack vector for SPAs
(Single Page ApplicaAons)
A major concerns with bearer
tokens.
28. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Export (VicAms)
28
Web/Mobile applicaAon users
Web/Mobile applicaAon owners
29. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Token Export (MiAgaAons / Best PracAces)
29
The use of Token Binding protects access tokens from man-in-the-
middle and token export and replay a[acks.
h[ps://tools.iej.org/html/drak-jones-oauth-token-binding-00
30. Presenter’s Company
Logo – replace or
delete on master slide
#RSAC
Apply What You Have Learned Today!
30
Review and test current OAuth 2.0 client applicaAons against the
threats we discussed – probably build a test suite!
Build a security check-list for an OAuth 2.0 AuthorizaAon Server, and
make sure what you build or what you buy, adheres to it.
Be the security champion of your team!