OAuth Hacking Marathon - Exploiting Common Security Pitfalls and Mitigating Them
Oauth is a crucial piece of the modern technology puzzle that enables us to experience a more unified and seamless digital ecosystem. In this talk, we are going to showcase a series of demos that exploit various vulnerabilities both on the client side and on the authorisation server of a fictional OAuth service to show the common security pitfalls and how to navigate them.
In a cat-and-mouse chase fashion, the demos involve the developers patching the OAuth vulnerabilities, only for the hackers to identify a new, more complex attack to own the company again. These demos are inspired by real-world incidents and will illustrate how attackers actually exploit them in the wild.
OAuth gives us immense power of letting our apps and services share data seamlessly across them. But like Uncle Ben said to Spider-Man, “With great power comes great responsibility”, OAuth can also be a blessing or a curse. And in this talk, we will explore what can go wrong with OAuth if we don’t wield this mighty power carefully.
Throughout the session, we will also discuss defensive strategies and industry best practices to tackle these attacks. Additionally, we will analyse the root causes of these vulnerabilities and discuss how the future OAuth 2.1 version helps mitigate such attacks.
So buckle up for a roller coaster live hacking marathon!
kaif ahsan
Kaif Ahsan is a coder by passion and a hacker by profession. He started his journey in tech as a Software Engineer but soon fell in love with the art of breaking software. His knowledge of development and cybersecurity has naturally led him to the Application Security space, where he currently works as a Product Security Engineer at Atlassian.
​
Kaif is a big proponent of education and open access to knowledge. He regularly volunteers to run cybersecurity workshops at various universities as well as giving talks at local meet-ups and conferences. He is also the co-host of YT channel, Everything Cyber, where he shares hands-on and conversational videos on tech and cybersecurity. His videos target intermediate-level professionals and help them gain expertise through practical content.