Explore methods for discovering high-impact vulnerabilities in OAuth 2.0 integrations through this 50-minute conference talk. Delve into the history and basics of OAuth 2.0, understand its various grant types, and learn where it's commonly implemented. Uncover secret methodologies for token stealing, code stealing, CSRF attacks, and token impersonation. Examine real-world case studies, proof of concepts, and attack workflows to enhance your understanding of OAuth 2.0 security. Gain valuable insights into identifying and exploiting vulnerabilities in OAuth 2.0 implementations for ethical hacking and bug bounty purposes.
Overview
Syllabus
Intro
About Me
Agenda
HISTORY OF OAuth
OAuth 2.0 BASICS
HOW OAuth 2.0 WORKS?
AUTHORIZATION CODE GRANT
IMPLICIT GRANT
WHERE OAuth 2.0 IS USED?
ATTACKS ON OAuth 2.0 INTEGRATIONS
TOKEN STEALING - What we do?
TOKEN STEALING - Secret Methodology
Case Study
PROOF OF CONCEPT
CODE STEALING - What we do?
CODE STEALING-Secret Methodology
CSRF - What we do?
CODE STEALING - Secret Methodology
ATTACK WORKFLOW
TOKEN IMPERSONATION - What we do?
TOKEN IMPERSONATION. Secret Methodology
CONCLUSION
Taught by
Bugcrowd
