Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Federated Login CSRF

OWASP Foundation via YouTube

Overview

Explore a comprehensive analysis of Federated Login CSRF vulnerabilities in this 30-minute conference talk from AppSecUSA 2017. Delve into the concept of Login CSRF and its application to federated identity systems using OpenID Connect and OAuth 2.0. Examine the conditions that can lead to Federated Login CSRF, potential risks, and effective mitigation strategies. Learn from Microsoft Senior Security Engineer Murali Vadakke Puthanveetil as he walks through the intricacies of this security issue, including a detailed breakdown of OAuth Code Grant Flow, OpenID Connect login flow, and the importance of recommended parameters. Gain valuable insights into attack configurations, data flow sequences, and practical demonstrations. Understand how to implement robust security measures, such as implementing a second consent dialog before linking identities, to protect against these sophisticated attacks in federated login systems.

Syllabus

Intro
Quick Recap - Federated Login
Additional CSRF Scenarios
OAuth Code Grant Flow
Recommended State parameter
OpenID connect login flow
Risk in the current scenario
Recommended Parameter from OpenID Connect Spec
Federated Login CSRF (Pre-Conditions)
Attacker configuration
Attack data flow sequence
Risks
Demo
Mitigation 1: Show a 2nd Consent dialog before linking identities
Conclusions

Taught by

OWASP Foundation

Reviews

Start your review of Federated Login CSRF

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.