OAuth Hacking Marathon -
|
Abstract
Oauth is a crucial piece of the modern technology puzzle that enables us to experience a more unified and seamless digital ecosystem. In this talk, we are going to showcase a series of demos that exploit various vulnerabilities both on the client side and on the authorisation server of a fictional OAuth service to show the common security pitfalls and how to navigate them. In a cat-and-mouse chase fashion, the demos involve the developers patching the OAuth vulnerabilities, only for the hackers to identify a new, more complex attack to own the company again. These demos are inspired by real-world incidents and will illustrate how attackers actually exploit them in the wild. OAuth gives us immense power of letting our apps and services share data seamlessly across them. But like Uncle Ben said to Spider-Man, “With great power comes great responsibility”, OAuth can also be a blessing or a curse. And in this talk, we will explore what can go wrong with OAuth if we don’t wield this mighty power carefully. Throughout the session, we will also discuss defensive strategies and industry best practices to tackle these attacks. Additionally, we will analyse the root causes of these vulnerabilities and discuss how the future OAuth 2.1 version helps mitigate such attacks. So buckle up for a roller coaster live hacking marathon! Speaker Bio: Kaif Ahsan is a coder by passion and a hacker by profession. He started his journey in tech as a Software Engineer but soon fell in love with the art of breaking software. His knowledge of development and cybersecurity has naturally led him to the Application Security space, where he currently works as a Product Security Engineer at Atlassian. Kaif is a big proponent of education and open access to knowledge. He regularly volunteers to run cybersecurity workshops at various universities, local meetups and conferences as well as organises the AppSec Australia Melbourne meetups. He is also the co-host of YT channel, Everything Cyber, where he shares hands-on and conversational videos on tech and cybersecurity. Kumar Soorya is a Security Engineer at AWS, where he works with his team to aid internal customers with security incident response on the AWS side of the shared responsibility model. Prior to his current role, Soorya has worked as a consultant for Security Operations aiding clients with their ongoing security monitoring, threat hunting and incident response. Soorya is passionate about making knowledge about security accessible to security leaders, practitioners and students. He is one of the co-hosts of the Everything Cyber podcast, where he shares hands-on and conversational videos on tech and cybersecurity. |