Two of my co workers have presented at HackMiami on flaws people implement in their oauth implementations. The talk summary is below

“OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, , etc support it and you are probably thinking of implementing OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely.

When you use OAuth, there are three pieces R; The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a engineer’s nightmare, and how to fix them. We will go over controls that the platform can put in place to help mitigate vulnerabilities. We will also cover how design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation.

You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.”

Slides: https://cloud.app.box.com/s/9xgb9yzfcgla5hsd7bdltl78k74dzot7

 



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here