Presented at ekoparty 14 (2018)
Sept. 26, 2018, 11:10 a.m.
With more than 2000 enterprise customers and managing 1.5 billion logins every single day, Auth0 is one of the biggest Identity Platforms. In this talk I will tell the story of how we, at Cinta Infinita, found an Authentication Bypass Vulnerability that affected any application using Auth0 (for username and password authentication) in the context of an independent non-profitable research.
Deep security concepts of JSON Web Tokens, authentication and authorization, cryptography, HTTP traffic interception/manipulation and more will be covered.
Additionally, two other cases will be presented as an introduction to the main security problem: the first one involves an incorrect secret management between Production and Non-Production Environments and a bad implementation of a sensitive functionality. Then, the second one, will show how insecure configurations and inadequate administration of features in MS Azure (and typical IIS installations) for .NET Web Applications using SAML Authentication could led to full compromise of an application and its data.
Case 1: Be careful when impersonating users. Seriously.
Case 2: Authentication Bypass vulnerability in the Auth0 platform.
Case 3: Observations in MS Azure and IIS installations running .NET Web Applications using SAML Authentication. Machine Keys? Is that a new rock band? Conclusions.
Nahuel Grisolía is the Founder and CEO of Cinta Infinita, an Information Security company based in Buenos Aires, Argentina. He is specialized in (Web) Application Penetration Testing and Hardware Hacking. He loves playing with Arduino's, ARM based hardware devices, Tamagotchis, Quadcopters, Lasers, etc. He has delivered trainings and talks in conferences around the world: BugCON (Mexico), H2HC (Brazil), Ekoparty (Argentina), OWASP events (Argentina), TROOPERS (Germany), PHDays (Russia), Ground Zero Summit (India), etc. He has discovered vulnerabilities in software from McAfee, VMWare, Manage Engine, Oracle, Websense, Google, Twitter, Auth0 and also in free software projects like Achievo, Cacti, OSSIM, Dolibarr and osTicket.