Presented at
DEF CON 32 (2024),
Aug. 10, 2024, 1 p.m.
(45 minutes).
As DevOps and developers are slowly shifting away from storing long-lived static credentials to the more secure, still kinda-new, OIDC alternative - the underlying logic, mechanisms and implementations tend to feel like complicated magic and are mostly overlooked.
In this talk, we'll begin by recapping what OIDC is, who are the interacting entities when OIDC is used, and how OIDC is taking place to securely access one's cloud using CI/CD flows.
Once covered, we will be able to alternate our point-of-view between the entities in play and demonstrate potential vulnerabilities in various setups.
Starting with the user PoV, we will show what "under-configurations" look like, and continue by demonstrating how new OIDC configuration options can actually be misconfigurations that can result with a compromise.
We will then see another attack vector where leaking an OIDC token from a single repository in an organization can allow an attacker to abuse under-configurations and access private clouds.
After that, we will shift our PoV to be of the Identity Provider (IdP) so that we can look into what happens if an IdP is misconfigured, and disclose a real-world security vulnerability found in one of the most popular CI vendors that allowed us to access any of their customers' cloud environments.
I'll refer to this talk by the Tinder Security team [link](https://www.youtube.com/watch?v=pTKS99Nfaxw&t=747s) where they show how they could "claim" in the name of other identities due to under-configured WIFs.
Presenters:
-
Aviad Hahami
- Palo Alto Networks
Security researcher and experienced software engineer with a great passion for algorithms (graph-theory specifically), security research (vulnerability research, bug bounties), chaos engineering (YES!), frontends, backends, web services, systems architecture, infras, clouds(making them rain), and more :)
Today, researching at Palo Alto Networks.
Oh yea I also DJ
Similar Presentations: