Knocking Down the Big Door (Breaking Authentication and Segregation of Production & Non-Production Environments)

Presented at ekoparty 14 (2018), Sept. 26, 2018, 11:10 a.m. (50 minutes)

With more than 2000 enterprise customers and managing 1.5 billion logins every single day, Auth0 is one of the biggest Identity Platforms. In this talk I will tell the story of how we, at Cinta Infinita, found an Authentication Bypass Vulnerability that affected any application using Auth0 (for username and password authentication) in the context of an independent non-profitable research. Deep security concepts of JSON Web Tokens, authentication and authorization, cryptography, HTTP traffic interception/manipulation and more will be covered. Additionally, two other cases will be presented as an introduction to the main security problem: the first one involves an incorrect secret management between Production and Non-Production Environments and a bad implementation of a sensitive functionality. Then, the second one, will show how insecure configurations and inadequate administration of features in MS Azure (and typical IIS installations) for .NET Web Applications using SAML Authentication could led to full compromise of an application and its data. Case 1: Be careful when impersonating users. Seriously. Case 2: Authentication Bypass vulnerability in the Auth0 platform. Case 3: Observations in MS Azure and IIS installations running .NET Web Applications using SAML Authentication. Machine Keys? Is that a new rock band? Conclusions.

Presenters:

• Nahuel Grisolía
  Nahuel Grisolía is the Founder and CEO of Cinta Infinita, an Information Security company based in Buenos Aires, Argentina. He is specialized in (Web) Application Penetration Testing and Hardware Hacking. He loves playing with Arduino's, ARM based hardware devices, Tamagotchis, Quadcopters, Lasers, etc. He has delivered trainings and talks in conferences around the world: BugCON (Mexico), H2HC (Brazil), Ekoparty (Argentina), OWASP events (Argentina), TROOPERS (Germany), PHDays (Russia), Ground Zero Summit (India), etc. He has discovered vulnerabilities in software from McAfee, VMWare, Manage Engine, Oracle, Websense, Google, Twitter, Auth0 and also in free software projects like Achievo, Cacti, OSSIM, Dolibarr and osTicket.

Links:

• http://ekoparty.org/charla-knocking-down-the-big-door.php
• https://infocon.org/cons/Ekoparty/Ekoparty 14 2018/Knocking Down the Big Door Nahuel Grisolía.mp4

Similar Presentations:

• DeepSec 2020 „The Masquerade“ / Street Cred: Fixing Authentication From Passwords To Passwordless
• DEF CON 15 (2007) / Greater than 1: Defeating "strong" Authentication in Web Applications
• DEF CON 19 (2011) / My password is: #FullOfFail! - The Core Problem with Authentication and How We Can Overcome It