Vulnerabilities of mobile OAuth 2.0 by Nikita Stupin, Mail.ru
Insomni'hack 2019
Title : Vulnerabilities of mobile OAuth 2.0
Speaker: Nikita Stupin, Mail.ru
Mobile applications are increasingly implementing the OAuth 2.0 protocol. Despite this, vulnerabilities in mobile OAuth 2.0 implementations are still found even in the products of large companies.
In this report we will look at following vulnerabilities of mobile OAuth 2.0:
1. Authorization Code Interception Attack
2. OAuth 2.0 CSRF
3. Vulnerabilities caused by WebView usage
4. Vulnerabilities that increases probability of phishing
Also we will cover most wide-spread and critical vulnerabilities of usual OAuth 2.0:
1. Vulnerabilities in redirect_uri checks
2. MitM of authorization_code/access_token
3. Poor OAuth 2.0 protocol implementation
4. ... and some others :)
Vulnerabilities will be accompanied with real-world examples from my bug hunting experience.
Protection techniques will be presented from pentester's point of view. We will discuss defensive mechanisms such as:
1. Proof Key for Code Exchange
2. Crypto properties of OAuth 2.0 tokens (access_token, authorization_code, code_verifier and others) and how they are managed
3. IPC as more simple (compared to HTTP) and secure transport
4. When client_id and client_secret do more harm than virtue?
We will cover three flows of OAuth 2.0 protocol:
1. Authorization Code Grant
2. Implicit Grant
3. Implicit Grant with IPC transport
-
Category
No comments found