Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it

Presented at RomHack 2019, Sept. 28, 2019, 10:45 a.m. (45 minutes)

Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a secure SSO and authorization experience between unrelated servers/services. The OAuth 2.0 authorization framework enables 3rd party apps to obtain discretionary access to a web service. Built on top of OAuth, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build an authentication system. In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers. In this talk we will discuss common malpractices that "relying party" and "authorization service provider" developers perform when implementing OAuth/OpenID based solutions. We will learn the attacks that can happen thereof and mitigation.


Presenters:

  • Samit Anwer
    Samit is a Web and Mobile Application security enthusiast. He joined Citrix as Security Engineer soon after completing his Master's degree from IIIT Delhi in Mobile and Ubiquitous Computing in 2015. He has spoken on various security topics at the following venues - SecurityFest, DEFCON, BlackHat Asia, AppSec USA, CodeBlue and c0c0n X He has published papers at the following venues • Chiromancer: A Tool for Boosting Android Application Performance [MobileSOFT Conference 2014, Hyderabad, India], http://dl.acm.org/citation.cfm?id=2593918 • Detecting Performance Antipatterns before migrating to the Cloud [IEEE CloudCom 2013, Bristol, U.K.], http://dl.acm.org/citation.cfm?id=2568531 • Performance Antipatterns: Detection and Evaluation of their Effects in the Cloud [IEEE Services 2014, Anchorage, Alaska], http://ieeexplore.ieee.org/document/6930605/ His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms.

Links:

Similar Presentations: