NCL 06: OAuth 2.0 Security: Attacks and Countermeasures

Web and Mobile app developers work with it heavily nowadays; and end users interact with it on a daily basis. This is the OAuth 2.0 protocol - or the Open Authorization Framework. Despite the fact that it is a security protocol, it is itself so vague and flexible that it opens the door to many potential threats if not implemented tightly.

In this episode of "Navigating the Cyber Land" we will start with a general overview of what OAuth is and how it works. Then, we will look at the bad practices that can lead OAuth to potentially become vulnerable and get exploited. OAuth vulnerabilities can be categorized as either Client-Side or Server-Side.

Some of the vulnerabilities and attacks we will cover are:

• CSRF attack against the client
• Theft of Authorization Code
• Theft of Access Token
• Client Impersonation

We will also address the countermeasures or the solutions to those vulnerabilities from a development and configuration points of view.

This session will be valuable for penetration testers assessing web/mobile applications as well as for developers and engineers implementing OAuth in their products and services.