Skip to main content

Posts

Showing posts from May, 2013

OAuth 2 attacks - Introducing 'The Devil Wears Prada' and 'Lassie Come Home'

As the OAuth 2 framework is becoming more and more used I thought it would be useful to share some of the most common attacks. It is important to highlight that the attacks I am going to introduce today are not issues in the specification per se but rather possible implementation issues.The first document to look at when you try to secure one OAuth 2 implementation is the OAuth 2.0 Threat Model but this is way not enough. In order to have a safe implementation it is important to understand what is OAuth about and to be involved in the "OAuthsphere" (OAuth mailing list, blogs, etc),
In this blog post I will try to show two of the most common attacks that I have renamed  'The Devil Wears Prada' and 'Lassie Come Home'.
Let's see. Firstly the actors:

The Actors
The Devil Wears Prada The first time I read about this potential issue was in one of John Bradley's blog post . This issue is also known as "confused deputy problem". In a nutshell (once…

OAuth “dance” - server side flow

Getting some inspiration from this dialog about OAuth 1.0 I thought it would be nice to have something similar for OAuth 2.0


The Actors The R.O. shows intentAlice (R.O.): hey, Bob , I would like you to be able to access the profile pictures from my Facebook account so you can print for me a nice photo album.
Bob (client): no problem, I know how we can do it. All I need is you getting me an Authorization Code from Facebook.

The R.O. obtain an authorization code
Alice (R.O.): hey Mark, www.printondemand.biz wants an Authorization Code
Mark (server):
are you sure you want to give this code to www.printondemand.biz?
this will allow it to get all profile pictures from your profile.
Alice (R.O.):
yes it is ok.
Mark (server): ok I am sending you over to www.printondemand.biz

The R.O. is redirected to the clientAlice (R.O.): hey Bob here we go, this is the Authorization Code
Bob (client): thanks

The client exchange the Authorization Code for an
Access TokenBob (client): hey Mark, I would like to tra…