In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers.
The key to adding authorization or SSO measures to your app is to ensure you are balancing security with usability. Developers likely make trade-offs when making decisions about specific implementation - and there are a lot of decisions to make. Developers still want to double down on security to avoid flaws in 2.0, paying attention to things like session management, encryption/obfuscation of stored data and IDs, and securing the source code of an app.
In this work we will discuss common malpractices that relying party devs perform when implementing OAuth/OpenID based relying party solutions. However, all is not in the hands of relying party developers, the authorization service providers have a big role to play as well.
There are mainly 4 entities involved in a typical OAuth setup, they are – relying party/client, user/resource owner, resource provider, authorization server. In this work, we discuss the goof-ups that each of these entities can introduce with special focus on vulnerabilities that the authorization server can introduce.
The highlight - We present our case study on OAuth authorization providers and detail the issues we found in their solutions. This includes vulnerability in Microsoft's authorization server - login.windows.net.
This was presented at Security Fest 2019.Speakers: Samit Anwer
Samit Anwer is a Web and Mobile Application security researcher. Soon after completing his Master's degree from IIIT, Delhi in Mobile and Ubiquitous Computing he joined Citrix R&D India as a Product Security researcher. He is actively involved with vulnerability research in popular Web/Mobile apps and has responsibly disclosed several security vulnerabilities with Google Cloud Print API, XSS filter evasion on IE 11/MS Edge, code execution on Microsoft Windows 10, Microsoft's OAuth 2.0 implementation and buffer overflows on MS Edge/IE 11.
He is an active member of the Null Bangalore Chapter, IEEE community and has spoken on various security topics at the following venues:
He has previously published papers at the following venues:
His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms.