Overview
Explore a comprehensive analysis of Federated Login CSRF vulnerabilities in this 30-minute conference talk from AppSecUSA 2017. Delve into the concept of Login CSRF and its application to federated identity systems using OpenID Connect and OAuth 2.0. Examine the conditions that can lead to Federated Login CSRF, potential risks, and effective mitigation strategies. Learn from Microsoft Senior Security Engineer Murali Vadakke Puthanveetil as he walks through the intricacies of this security issue, including a detailed breakdown of OAuth Code Grant Flow, OpenID Connect login flow, and the importance of recommended parameters. Gain valuable insights into attack configurations, data flow sequences, and practical demonstrations. Understand how to implement robust security measures, such as implementing a second consent dialog before linking identities, to protect against these sophisticated attacks in federated login systems.
Syllabus
Intro
Quick Recap - Federated Login
Additional CSRF Scenarios
OAuth Code Grant Flow
Recommended State parameter
OpenID connect login flow
Risk in the current scenario
Recommended Parameter from OpenID Connect Spec
Federated Login CSRF (Pre-Conditions)
Attacker configuration
Attack data flow sequence
Risks
Demo
Mitigation 1: Show a 2nd Consent dialog before linking identities
Conclusions
Taught by
OWASP Foundation