Conference:  Global AppSec San Francisco 2022

Authors: Jenko Hwong

2022-11-18

Supply chain identity attacks are not new, for example the Golden SAML attack (Cyberark, 11/2017), which used stolen certificates to spoof SAML responses. Recently, new POC identity attacks have been published such as gaining access to a Facebook account that uses Gmail as the identity provider via OAuth 2.0 (Sammouda, 5/2022), utilizing the chaining of traditional web vulnerabilities such as XSS with the design of the OAuth protocol in order to steal OAuth session tokens. These new attacks pose new challenges for security operations: remotely-enabled attacks by design without need for endpoint compromise, near-permanent access, no need to go through MFA challenges, and incomplete controls for security operations in preventing, detecting, and responding to these attacks.This presentation looks underneath the hood at these more recent attacks that are combining attacks against peculiarities in today's ubiquitous OAuth 2.0 protocol along with traditional web vulnerabilities. We will cover how these attacks work, what's different about them, how OAuth 2.0 is used and abused, and how we must incorporate new controls specific to the protocols involved in order to defend against these attacks.We'll look at what controls or measures are provided by identity vendors such as Microsoft and Google and popular SaaS apps, and look at the cost-benefit of implementing your own controls.This presentation will focus on hands-on demos to illustrate the new attacks as well as efficacy of defensive measures. Slides will focus on security architectures and flows to convey fundamental concepts. Any useful tools or demonstrations will be made available in an open-source repository under 3-Clause BSD licensing.