Name: OWASP Gothenburg OAuth2 and Offensive Security
Start: 2023-12-06T17:15:00+01:00
End: 2023-12-06T21:30:00+01:00
Location: Rosenlundsgatan 3

**Join us at our partner Omegapoint's office for an awesome evening with food and drinks, and talks about OAuth2 pitfalls and Pentest war stories!**

**Where:** Omegapoint, Rosenlundsgatan 3, 411 20 Göteborg

**A﻿genda:**
**1﻿7:00 - 17:30:** Welcome to Omegapoint
**1﻿7:30 - 17:45:** Introduction from the event hosts and presentation of tonight's speakers.
**1﻿7:45 - 18:30:** *How to f\*ck up at OAuth2 while following BCPs*
Best current practices (BCPs) for implementing OAuth2 and OIDC have undergone many changes over the years. In this presentation we highlight the risks of staying with the ancient (roughly 2019-2021) “current” best practices. The current (circa 2022) BCPs bring many changes, such as deprecation of the implicit flow, required usage of PKCE and the BFF pattern which mitigates some of the previous attack vectors. It takes time for new concepts to fully mature and secure defaults emerge. While following the latest BCPs it’s still possible to make mistakes and end up with a broken implementation. This presentation will show some common OAuth2/OIDC security pitfalls and why it is bad practice to use reverse proxy catch-all routing in your BFF, an OAuth2 client with access to many scopes, together with APIs that do authorization based on just a valid token and scopes. Does your BFF enable authenticated SSRF as a Service? During the presentation we will demonstrate both attacks and defences for a OAuth2/OIDC application running locally.
**Pontus Hanssen** in an experienced security researcher and penetration tester. He loves to hack everything that blinks or has an IP address. Pontus performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security.
**Tobias Ahnoff** is an experienced developer and architect with focus on application security. He specializes in implementing authentication flows and authorization for web applications and APIs that manage sensitive data. Tobias performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security. He also gives courses in application security and is an appreciated speaker in OAuth2 and OpenID Connect areas.

**18:30 - 19:15:** Food

**19:15 - 20:00:** *Pentesting War Stories*
Working in penetration testing generates quite a few interesting stories
about spectacular vulnerabilities found in tested systems.
Often these stories are not shared outside of a small circle of people.
This presentation goes through a selection of vulnerabilities found
during assignments in the recent years. The titles of the stories are:
“The omnipotent client cert” (automotive app), “Next level XSS“ (web),
No route to boat” (network), and ”Having a conversation with a door
handle" (embedded).
**Emilie Barse** is an experienced IT security consultant with a deep
interest in security testing and log analysis. She has worked in IT
security since 2005 and has worked in numerous different industries, and has tested applications, networks, cloud environments, IoT systems, and cars. Emilie has a PhD in computer security from Chalmers University of Technology.

**2﻿0:00 - 21:30:** Over-time (optional)
H﻿ang out, grab something to drink, and discuss security, the weather or anything in between!

Dennis Dubrefjord

OWASP Gothenburg Chapter

OWASP® Foundation 

Technology

Web Security

OWASP

Information Security

Application Security

Software Security

Computer Security

Cybersecurity

Web Application Security

OWASP Gothenburg OAuth2 and Offensive Security

Rosenlundsgatan 3

Share

OWASP Gothenburg Chapter

OWASP Gothenburg OAuth2 and Offensive Security

OWASP Gothenburg Chapter

Details

Members are also interested in