DeepSec 2021 Training: How to Break and Secure Single Sign-On (OAuth and OpenID Connect) – Karsten Meyer zu Selhausen
Implementing single sign-on has huge benefits in general. It allows to design the registration and login process for users to be as simple as possible, and enables applications to be connected to social networks. Although OAuth and OpenID Connect are established as today’s common standards, serious attacks on them have been discovered within recent years. These attacks exploit the complexity of the underlying standards and implementation flaws, and allow attackers to authenticate themselves as arbitrary users or to access confidential user data.
By doing so, attackers can potentially read, manipulate, or delete data of arbitrary users across these applications. Due to the critical role that single sign-on fulfills in applications nowadays, it is important to understand and address pitfalls when using OAuth and OpenID Connect. However, automatic security scanners are not able to properly evaluate complex single sign-on systems and manual security testing is essential to comply to high security standards.
In this training, we give a detailed overview of the single sign-on concept and enhance the knowledge of the attendees in the application of the established standards OAuth and OpenID Connect. Using examples, numerous attacks are presented and discussed with the attendees in detail. In order to gain the best possible understanding, the attendees are given the opportunity to execute various attacks themselves in a virtual machine prepared by us. Different tools for the analysis of single sign-on procedures will be presented and used during this training. Finally, techniques and concepts to strengthen the security of single sign-on systems and to prevent the well-known attacks are discussed.
The training is divided into alternating theoretical and interactive sessions. During the theoretical sessions the attendees will learn the concepts and details of single sign-on, OAuth and OpenID Connect flows, various attacks and countermeasures. The following interactive sessions help them to fully understand the presented details by exploring and exploiting single sign-on services in a pre-built test environment.
Karsten Meyer zu Selhausen has several years of experience in the fields of secure deployment and secure use of well-known single sign-on standards, such as OAuth, OpenID Connect and SAML.
He works as an IT security consultant, penetration tester and trainer for Hackmanit GmbH since 2016. During his master degree in IT Security at the Ruhr-University Bochum, he specialized on the security of protocols for delegated authorization and authentication, as well as, data description languages, such as XML and PDF. He gained profound expertise in the security of single sign-on procedures, such as OAuth, OpenID Connect and SAML, during numerous consulting projects and penetration tests. Karsten frequently shares his knowledge and experience with customers from various industry fields in IT security training courses.