• Home

  • Documents

  • OAuth: Where are we going? - OWASP v1 and v2 2 "OAuth 2.0 at the hand of a developer with deep...
30
OAuth: Where are we going? 1 What is OAuth? OAuth and CSRF Redirection Token Reuse OAuth Grant Types

OAuth: Where are we going? - OWASP v1 and v2 2 "OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result [in] a secure implementation

  • Upload
    votram

  • View
    226

  • Download
    1

Embed Size (px)

Citation preview

  • OAuth:Wherearewegoing?

    1

    WhatisOAuth?

    OAuthandCSRF

    Redirection

    TokenReuse

    OAuthGrantTypes

  • OAuthv1andv2

    2

    "OAuth2.0atthehandofadeveloperwithdeepunderstandingofwebsecuritywilllikelyresult[in]asecureimplementation.However,atthehandsofmostdevelopers ...2.0islikelytoproduceinsecureimplementations."

    http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/http://hueniverse.com/2010/09/29/oauth-bearer-tokens-are-a-terrible-idea/

    Eran Hammer,OriginalFounderofOAuth

  • OAuthHistory

    Nov2006:BlaineCookbeginsworkingonOAuthwhileatTwitter 2007:Ma.gnolia,Googleandothersjointhediscussion 2007:Eran Hammerjoinsandsoonleadsthespecification Dec2007:OAuth1.0finaldraft 2008:GoogleOAuth1.0supportbegins 2010:TwitterforcesallthirdpartyappstouseOAuth1.0 June2012:Eran ragequits theOAuth2.0bodyaftertheshiftfromcryptotobearertokens October2012:OAuth2.0frameworkpublished

    3

  • OAuthv1andv2:Whataretheprimarysecuritydifferences?

    4

    OAuthv2isTransport-DependentMostsecuritydefensesaredelegatedtoHTTPS/TLS

    OAuthv1isTransport-IndependentSecurityisnotdelegatedtoHTTPS/TLS

    Atypo,animproper TLSconfiguration, orafailuretoproperlyvalidateacertificatecanleadtoaman-in-the-middleattack,compromising allOAuthcommunications.

    OAuthv1messagesareeachindividuallycryptographically signed.Ifasinglemessagewithinthecommunication isconstructedorsigned improperly, theentiretransactionwillbeinvalidated.

  • OAuthv1andv2:SignaturesvsBearerTokens

    5

    OAuthv2AuthorizesMessageswithBearerTokens

    OAuthv1AuthorizesMessageswithDigitalSignatures

    BearerTokensdonotprovide internalsecuritymechanisms.Theycanbecopiedorstolen.

    Asignedmessageistiedtoit'sorigin. Itcannotbetamperedwithorcopiedtoanothersource.

  • OAuthv1andv2:Whichshouldyouuse?

    6

    GooglemovedawayfromOAuth1.0inApril2012.

    TwitterstillsupportsOAuth1.0.

    ItsrarefornewserverimplementationstosupportOAuth1.0.

    PlentyofOAuth2.0add-onRFCstosupportcryptoifneeded.

    Soyea,2.0inalmostallsituationsin2015.

  • OAuthv1Workflow

    7

    http://docs.spring.io/spring-social/docs/1.0.0.RC1/reference/html/serviceprovider.html#service-providers-oauth1

  • OAuthv2Workflow

    8

    http://docs.spring.io/spring-social/docs/1.0.0.RC1/reference/html/serviceprovider.html#service-providers-oauth2

  • OAuthSecurityinProductsisStabilizing(osvdb.org)

    9

  • SampleOAuthWorkflow

    UsingOAuth,youreCommerceservercannowtweetonbehalfoftheuserevenwhentheuserisnotloggedon.Howdoesthishappen? First,theuserlogsintotheeCommerceserverwithhisaccountandeditshisaccountprofile. Next,theeCommerceserverredirectstheusertoTwitter. TheuserlogsontoTwitterandauthorizestheeCommerceservertotweetonherbehalf. Then,wheneverordersarecompletetheeCommercetweetsalittlenoteabouthowawesometheeCommercecompanyis- evenwhentheuserisnotloggedontotheeCommerceserver.

    10

  • HighLevelConcepts

    OAuthRoles(Resourceowner,resourceserver,clientapp,authorizationserver) OAuthGrantTypes (authorizationcode, implicit,resourceownerpasswordcredentials,clientcredentials,extensions) TokenTypes (refreshtoken,accesstoken) EndpointTypes (resourceserver,authorizationserver,clientregistration,clientauthorization)

    11

  • Terms ResourceOwnerorEnd-User: Userandaccountownerofresource(theend-user) ResourceServer/ServiceProvider: Serverhostingprotectedresourcesownedbytheend-user. Acceptsaccesstokensforprotectedresources. AuthorizationServer/ServiceProvider. Serverissuingaccesstokenstoprovideotherclientsaccesstoprotectedresources.Oftensameserverasresourceserver.Oneauthorizationservermayissueaccesstokenstomany resourceservers.

    12

  • Terms

    Client/Consumer: Applicationrequestingaccesstoprotectedresourceonbehalfofresourceowner(typicalclientsaremobileapplications, webbrowsers, desktopapplicationsorotherwebapplications). DependingontheOAuthworkflow,thebrowsermayuseanaccesstokendirectly(implicitgranttype)orredirecttheusertoanotherwebapplicationthatactsastheclientoftheservice(authorizationcodegranttype).

    13

  • Terms AccessToken: OAuthtokenusedtodirectlyaccessprotectedresourcesonbehalfofauserorservice. RefreshToken: Refreshtokens,whengiventotheauthorizationserver,willprovideanewactiveaccesstoken.Refreshtokensthemselvescannotaccessresources. Whileaccesstokensshouldbeshortlived,refreshtokensarelonglivedorsimplyneverexpireuntiltheuserrevokesthem.Refreshtokensalsoprovidemorescalablepatterns. ClientIdentifier:UniqueIDofeachclientgiventoclientbyauthorizationserver. BearerToken: "Asecuritytokenwiththepropertythatanypartyinpossessionofthetoken(a"bearer")canusethetokeninanywaythatanyotherpartyinpossessionofitcan.Usingabearertokendoesnotrequireabearertoprovepossessionofcryptographickeymaterial(proof-of-possession)." -https://tools.ietf.org/html/rfc6750#section-1.2

    14

  • AuthorizationServerSecurity

    TLSforeverything(Authenticity,Confidentiality,Integrity) Authorizationserversshouldnotautomaticallyprocessrepeatauthorizationstopublicclientsunlesstheclientisvalidatedusingapre-registeredredirectURI(Section5.2.3.5). Authorizationserverscanmitigatetherisksassociatedwithautomaticprocessingbylimitingthescopeofaccesstokensobtainedthroughautomatedapprovals(Section5.1.5.1). Explainthescope(resourcesandthepermissions)theuserisabouttograntinanunderstandableway(Section5.2.4.2). Narrowthescopeasmuchaspossible(Section5.1.5.1). Don'tredirecttoaredirectURIiftheclientidentifierorredirectURIcan'tbeverified(Section5.2.3.5).

    15

    https://tools.ietf.org/html/rfc6819

  • OAuth2.0GrantTypes

    Youcanhidelonglivedtokenstokenfromtheuser(authorizationcodegrant) Youcanonlyactivateashort-livedtokeninthebrowserwhentheuseriscurrentlyloggedon(implicitgrant) Youcangrantandexposealong-livedtokensdirectlytotheuserviaatrustedclient(passwordgrant). Youcangrantandexposealong-livedtokendirectlytootherservicesthatneedtoaccessdatanotassociatedwithaspecificuser(clientcredentialsgrant)

    16

  • OAuth2.0AuthorizationCodeGrant

    17

    OAuth2.0AuthorizationCodeGrant

  • OAuth2.0AuthorizationCodeGrant

    18

    TheUser(ResourceOwner)CredentialsareneverexposedtoClient

    TheUser(ResourceOwner)neverhasaccesstoactualaccesstoken

    TheClientapplicationcanusetheaccesstokenevenwhentheresourceownerisnotpresent

    AuthorizationCodeRefreshTokensareoftenlonglivedorpermanentuntiltheUser(ResourceOwner)revokesthisaccessthroughtheClientUI.

  • AuthorizationCodeVariables Theclientstartsthe"authorizationcode"workflowbyredirectingtheusertotheauthorizationserverwiththerightrequestdata.Thisinitialclientrequestincludes: response_type :thisisrequiredby"authorizationcode"granttypeandshouldcontainthevalue"code" client_id:thisistheclientidentifierassignedtotheclientatclientregistrationtime.Thisisuniqueforeveryclientforauthorizationcodegrants. scope:levelofaccessrequested,domainspecific redirectionURI:Wheretheauthorizationserverredirectstheuserafteraccessisgrantedordenied

    19

  • AuthorizationCodeGrantSecurity

    4.4.1.1Threat:EavesdroppingorLeakingAuthorization"codes"(Referrerheaderleakage,logs,openredirect,browserhistory) UseTLS,requirestrongauthenticationbetweenclientandserver,expirationtimeforaccesstokens,onlyallowoneusepertoken,considerrevokingclientsendinglotsofbadcodes,reducescopeoftokens,flushbrowsercache

    4.4.1.2Threat:ObtainingAuthorization"codes"fromAuthorizationServerDatabase ParameterizeyourF#$KINGQUERIES,storeaccesstokenswithaone-waymethodology,gooddatabasesecurity

    4.4.1.3Threat:OnlineGuessingofAuthorization"codes" Highentropytokens,strongclientauthentication,shortexpirationtime

    4.4.1.5Threat:Authorization"code"Phishing StandardPhishingdefense.Goodluck!Onephishandgameover.

    20

    https://tools.ietf.org/html/rfc6819#section-4.4.1

  • CSRFAttacksagainstOAuthPart11. Attacker assumesthatVictimiscurrentlyloggedinat

    Consumer sitehttps://consumer-site.example/ (TheOAuthClient Application)2. Attacker goesthroughregistrationandloginworkflowat

    ConsumerSite https://consumer-site.example/login andusesthataccounttotriggeraOauthworkflowwiththeProviderService(TheOAuthauthorization/resourceserver)

    1. ConsumerSiteredirectsattackertoProviderSite logininterface.ThisiscalledtheAuthorizationRequest.https://provider-site.example/login

    2. Attacker successfullylogsinwithProviderSite3. Provider SiterespondswithredirectURLwhichcontainsthe

    authorizationcodeinthecode parameter.thisiscalledtheAuthorizationGrant.http://consumer-site.example/auth?code=1a2s3d4f5g6h

    21

  • CSRFAttacksagainstOAuthPart23. InsteadofvisitingorredirectingtotheAuthorizationGrant

    redirectURL,Attacker copiestheURLandplacesareferencetoitinanimagetagonawebpage()(https://evil-page.example/)

    4. Attacker getsVictimtovisithttps://evil-page.example/.1. ThisinturngetsVictim torequesttheAuthorizationGrant

    URL(http://consumer-site.example/auth?code=1a2s34f5g6h)

    2. ByvisitingtheAuthorizationGrantURL,theVictim hasnowauthorizedtheAttacker tohavefullauthorizedaccesstoVictim's accountonConsumer Site (https://consumer-site.example/).

    22

  • OAuth2andavoidingCSRF

    23

    1 Consumer generatesuniquerandomstatevalue,andstoresitinserversidesessionvariable.JSONWebTokensaregoodforstatevalues.

    2 Consumer sends"state"parameterwithAuthorizationRequest

    3 Onsuccessfulauthorization,Provider Site includes"state"parameterinAuthorizationGrantredirectURI

    4WhenVictim visitsredirectURI,the"state"parameteriscomparedagainstthe"state"parameterstoredinserversidesessionvariable.

    Usethe"state"parameter!ItisessentiallyaCSRFtoken

  • OAuth2AuthorizationCodeFlowOpenRedirector:Attack1. VictimgoesthroughloginworkflowatConsumerSite

    (https://consumer-site.example/login)usingProviderSiteforauthorization.

    2. Attacker constructsanAuthorizationRequestURLforProviderSite1. redirect_uri issettohttps://evil-site.example/

    3. Attacker eitherembedsevilURLinanimagetagorconstructsaclickablelinkatConsumerSite.

    4. WhentheevilURLisloaded,theproviderwill302redirectbacktoredirect_uri sinceuser wasalreadyloggedin.

    5. Whentheredirectoccurs,theevilsitecanreadtheHTTPReferrertogettheAuthorizationCode.

    6. UsingthisAuthorizationCode,Attackercanloginasuser

  • OAuth2AuthorizationCodeFlowOpenRedirector:Remediation

    1. Whitelistredirect_uri!2. ThereisnoneedforaProvidertorequiretheredirect_uri param!

  • OAuth2ImplicitFlowAccessTokenReuse:Attack1. VictimauthorizeswithEvilConsumer Site forProviderSite usingaccess_token2. AcmeWidgetsConsumerSiteusesImplicitFlowforauthentication.3. AttackerauthenticatesasVictimwiththeEvilConsumerSiteaccess_token using

    https://acme-widgets.example/callback#access_token=access_token

    "OneTokentoRuleThemAll"

  • OAuth2ImplicitFlowAccessTokenReuse:Remediation

    1. OAuthshouldbeusedforauthorization,notauthentication!2. Validatethataccess_token belongstoyourclient_id viaproviderAPI

  • OAuth2.0:Summary

    28

    1. Holycrapthisiscrazy2. IttakesmassiveeffortstobuildsecureOAuth2solutions3. Thecorestandardbarelyaddressessecurity4. MajorproviderswithPHD'stospareareoveralldoinga

    reasonablejobofbuildsecuresolutions5. Clientsareatriskbecausetheyarelikelytobuildless

    securityimplementationsthanproviders6. Buckleup,readthethreatmodelseveraltimesandfollow

    it'smanymanymanyrecommendations

  • OAuth:Summary

    29

    WhatisOAuth?

    OAuthandCSRF

    Redirection

    TokenReuse

    OAuthGrantTypes

  • ThankYou!

    [email protected]


OAuth protokol - sigurnost.zemris.fer.hrsigurnost.zemris.fer.hr/protokoli/2011_budiselic/OAuth protokol.pdf · OAuth protokol Ivan Budiseli c Seminarski rad za poslijediplomski predmet

OAuth protokol - sigurnost.zemris.fer.hrsigurnost.zemris.fer.hr/protokoli/2011_budiselic/OAuth protokol.pdf · OAuth protokol Ivan Budiseli c Seminarski rad za poslijediplomski predmet

Documents
Common Reference for docomo Developer support APIs Version 2.0 · 2019-06-14 · Grant of OAuth 2.0 Authorization Framework. See RFC 6749 and RFC6750 of OAuth 2.0 for details. 2

Common Reference for docomo Developer support APIs Version 2.0 · 2019-06-14 · Grant of OAuth 2.0 Authorization Framework. See RFC 6749 and RFC6750 of OAuth 2.0 for details. 2

Documents
Demystifying OAuth

Demystifying OAuth

Documents
OWASP Live CD · OWASP San Antonio Chapter About Matt Varied IT Background Developer, DBA, Sys Admin, Pen Tester, Application Security, CISSP, CEH, RHCE, Linux+ Long history with

OWASP Live CD · OWASP San Antonio Chapter About Matt Varied IT Background Developer, DBA, Sys Admin, Pen Tester, Application Security, CISSP, CEH, RHCE, Linux+ Long history with

Documents
Application Security Awareness - OWASP · OWASP Who Am I? +10 years developer experience + 6 years application security experience Software Architect / Security Consultant @ Sogeti

Application Security Awareness - OWASP · OWASP Who Am I? +10 years developer experience + 6 years application security experience Software Architect / Security Consultant @ Sogeti

Documents
The Essential OAuth Primer: Understanding OAuth for Securing Cloud

The Essential OAuth Primer: Understanding OAuth for Securing Cloud

Documents
OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES …€¦ · OAUTH 2 UND OPENID CONNECT OWASP Chapter Munich 30.4.2019 S l i d e s : h t t p s : / /a n d i fa l k . g i t h u b

OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES …€¦ · OAUTH 2 UND OPENID CONNECT OWASP Chapter Munich 30.4.2019 S l i d e s : h t t p s : / /a n d i fa l k . g i t h u b

Documents
WordPress + OAuth

WordPress + OAuth

Technology
OWASP top 10 with real world examples Developer real world mistakes Developer security assessment questions What we are doing to try and stay

OWASP top 10 with real world examples Developer real world mistakes Developer security assessment questions What we are doing to try and stay

Documents
OWASP (Membership) and new OWASP Projects · OWASP 7 OWASP

OWASP (Membership) and new OWASP Projects · OWASP 7 OWASP

Documents
Entendiendo oAuth

Entendiendo oAuth

Documents
Facebook & OAuth

Facebook & OAuth

Internet
OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

Documents
proactive controls final - OWASP · The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. ... developer

proactive controls final - OWASP · The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. ... developer

Documents
OWASP EUTour2013 London - Managing Web & Application … · 2020. 1. 17. · OWASP Top-10 - how •Easy to use to start a first discussion and awareness •Initial developer training

OWASP EUTour2013 London - Managing Web & Application … · 2020. 1. 17. · OWASP Top-10 - how •Easy to use to start a first discussion and awareness •Initial developer training

Documents
Authentication OAuth 2.0 & OpenID Connectwebdevelopment.mit.edu/2018/pages/lectures/WEBday9_openid.pdfOauth 2.0 “focuses on client developer simplicity while providing specific authorization

Authentication OAuth 2.0 & OpenID Connectwebdevelopment.mit.edu/2018/pages/lectures/WEBday9_openid.pdfOauth 2.0 “focuses on client developer simplicity while providing specific authorization

Documents
Painless OAuth

Painless OAuth

Technology
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via: pj@pjebs.com.au

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via: [email protected]

Documents
The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

Documents
OWASP @ ISCTE-IUL, OWASP e OWASP Portugal

OWASP @ ISCTE-IUL, OWASP e OWASP Portugal

Documents
Twitter4R OAuth

Twitter4R OAuth

Technology
OAuth with On-Premise Report+ Web Installationdownload.infragistics.com/marketing/ReportPlus/Developer-Docs/OAuth...ReportPlus Help Reference 7 | 21 Introduction to OAuth Now that

OAuth with On-Premise Report+ Web Installationdownload.infragistics.com/marketing/ReportPlus/Developer-Docs/OAuth...ReportPlus Help Reference 7 | 21 Introduction to OAuth Now that

Documents
OWASP Developer Guide Reboot

OWASP Developer Guide Reboot

Technology
OAuth Tokens

OAuth Tokens

Education
Everything OAuth

Everything OAuth

Technology
I Know What Youll Do Next Summer - The Skills You Will Be Learning as a Domino Developer: HTML5, CSS3, OAuth

I Know What Youll Do Next Summer - The Skills You Will Be Learning as a Domino Developer: HTML5, CSS3, OAuth

Technology
Tobias Gondrom (OWASP Member) - AppSec · OWASP Top-10 version 2013 - how • Easy to use to start a first discussion and awareness • Initial developer training (1.5 hours)

Tobias Gondrom (OWASP Member) - AppSec · OWASP Top-10 version 2013 - how • Easy to use to start a first discussion and awareness • Initial developer training (1.5 hours)

Documents
Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Documents
oAuth test

oAuth test

Documents
Twitter oauth

Twitter oauth

Documents