Two of my co workers have presented at HackMiami on flaws people implement in their oauth implementations. The talk summary is below

20;OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, , Box etc support it and you are probably thinking of implementing OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely.

When you use OAuth, there are three pieces R1; The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications on a OAuth platform which can lead to complete account takeover, how they can be a engineer’s nightmare, and how to fix them. We will go over controls that the platform can put in place to help mitigate vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation.

You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.”



Source link

No tags for this post.


Please enter your comment!
Please enter your name here