Federated Login CSRF

Presented at AppSec USA 2017, Sept. 21, 2017, 10:30 a.m. (45 minutes)

Login CSRF is a well-known vulnerability that allows an attacker to hijack a victim's browser to login to an application using the attacker's own credentials. This paper applies a similar concept on an application using federated identities. Specifically, we will walkthrough a CSRF issue that can creep into an application that uses OpenID Connect and Oauth 2.0, where more than one identities for a user needs to be linked together. We look at the conditions under which such a Federated Login CSRF may occur and mitigations for the same.

Presenters:

• Murali Vadakke Puthanveetil - Senior Security Engineer - Microsoft
  Murali Vadakke Puthanveetil works as a Senior Security Engineer for windows services pentest team at Microsoft. He spends most of his time digging into code of web applications to find interesting patterns that could later be used for attacks. He is particularly interested in figuring out authentication and authorization logic used by these applications.

Links:

• https://appsecusa2017.sched.com/event/B26I/federated-login-csrf
• https://infocon.org/cons/OWASP/AppSecUSA 2017/Federated Login CSRF.mp4
• https://www.youtube.com/watch?v=WVLIuvtUbrQ

Similar Presentations:

• DEF CON 16 (2008) / CSRF Bouncing†
• AppSec USA 2014 / CSRF 101 Workshop
• DEF CON 25 (2017) / Wiping out CSRF