Skip to main content


Showing posts from May, 2013

OAuth 2 attacks - Introducing 'The Devil Wears Prada' and 'Lassie Come Home'

As the OAuth 2 framework is becoming more and more used I thought it would be useful to share some of the most common attacks. It is important to highlight that the attacks I am going to introduce today are not issues in the specification per se but rather possible implementation issues. The first document to look at when you try to secure one OAuth 2 implementation is the OAuth 2.0 Threat Model but this is way not enough. In order to have a safe implementation it is important to understand what is OAuth about and to be involved in the "OAuthsphere" (OAuth mailing list, blogs, etc), In this blog post I will try to show two of the most common attacks that I have renamed  ' The Devil Wears Prada' and 'Lassie Come Home'. Let's see. Firstly the actors: The Actors The Devil Wears Prada The first time I read about this potential issue was in one of John Bradley's blog post . This issue is also known as " confused deputy problem

OAuth “dance” - server side flow

Getting some inspiration from this dialog about OAuth 1.0 I thought it would be nice to have something similar for OAuth 2.0 The Actors   The R.O. shows intent Alice (R.O.): hey, Bob , I would like you to be able to access the profile pictures from my Facebook account so you can print for me a nice photo album. Bob (client): no problem, I know how we can do it. All I need is you getting me an Authorization Code from Facebook. The R.O. obtain an authorization code Alice (R.O.): hey Mark, wants an Authorization Code Mark (server): are you sure you want to give this code to ? this will allow it to get all profile pictures from your profile. Alice (R.O.): yes it is ok. Mark (server): ok I am sending you over to The R.O. is redirected to the client Alice (R.O.): hey Bob here we go, this is the Authorization Code Bob (client): thanks The client exchange the Authorization Code for an Access T