OWASP AppSec Days PNW 2022 - Common Vulnerabilities in Modern Auth Implementations
Excited to share that I did a talk at the 2nd Annual OWASP AppSec Days Pacific Northwest Conference. This was a virtual event organized by the OWASP foundation on 11 June 2022. Glad to be back at presenting at Tech conferences after a break of almost 3 years. My last (public) talk was at OWASP Global AppSec DC 2019 on WebAuthn, and I barely presented/blogged about my adventures after that. Probably I should do more of these. Let's see how it goes :)
Title: Common Vulnerabilities in Modern Auth Implementations
Abstract
Enterprises often leverage the modern authentication protocols - OpenId Connect and OAuth - to secure their cloud-based web apps and web APIs. Most enterprises rely on established cloud-based identity providers and their respective authentication libraries to abstract protocol-level complexities and promote secure defaults. However, certain unintentional/less obvious implementation mistakes made by developers result in vulnerabilities that can be exploited with ease.
This session showcases a few common vulnerabilities we’ve found during some of our AppSec pentests across Microsoft. These are all real exploitable, fixed vulnerabilities that have been anonymized. We have also found similar antipatterns exhibited in external blogs and discussion forums. The demos used in this session leverage Azure Active Directory as the identity provider and ASP.NET as the relying party. However, the key takeaways are generic and are applicable to broader tech stacks.
Slides
Recording
Here is a recording of my full talk. I'm super happy that the talk went smooth and I finished on time (Thanks to my peers at work for bearing with my dry runs and sharing feedback). The best part is, the Demo Gods were with me and all the 5 live demos went exactly as planned :)
Shout out to volunteers & speakers!
Needless to say, a lot of effort was put by the volunteers to make the event an astounding success. Huge shout out to the volunteers for all the pre and post conference efforts, and also to my fellow speakers for the absolutely high quality content. Please do watch all the amazing talks of the event at the AppSec PNW Youtube Channel.
A token better than NFT!
I was pleasantly surprised to receive a token of appreciation from the planning committee. In the world of NFTs and digital gifts, a physical tumbler (Yeti Rambler) and a handwritten "Thank You" note is worth more than an NFT to me (oh wow, I sound so old school!). Probably it's more than 2 decades ago that I received a handwritten note from someone (my grandfather used to post me handwritten letters when I was a kid). Thanks for the wonderful gesture @AppSecPnw!
Twitter Love :)
Thanks for your presentation! I enjoyed the breakdown of areas of weakness and the demos illustrating all of those, including the demo of getting around the client side guest blocking.
— jelliedchemicals (@jelliedchemical) June 11, 2022
I am hoping that the concepts and the demos covered in the talk will be of use to the security community - for both pentesters as well as developers. Hopefully, I will be able to share some more useful content in another event. Until next time, have fun exploring the fast-moving tech. Thanks for reading!