Skip to content

OWASP Gothenburg OAuth2 and Offensive Security

D
Hosted By
Dennis D.
OWASP Gothenburg OAuth2 and Offensive Security

Details

Join us at our partner Omegapoint's office for an awesome evening with food and drinks, and talks about OAuth2 pitfalls and Pentest war stories!

Where: Omegapoint, Rosenlundsgatan 3, 411 20 Göteborg

Agenda:
17:00 - 17:30: Welcome to Omegapoint
17:30 - 17:45: Introduction from the event hosts and presentation of tonight's speakers.
17:45 - 18:30: How to f*ck up at OAuth2 while following BCPs
Best current practices (BCPs) for implementing OAuth2 and OIDC have undergone many changes over the years. In this presentation we highlight the risks of staying with the ancient (roughly 2019-2021) “current” best practices. The current (circa 2022) BCPs bring many changes, such as deprecation of the implicit flow, required usage of PKCE and the BFF pattern which mitigates some of the previous attack vectors. It takes time for new concepts to fully mature and secure defaults emerge. While following the latest BCPs it’s still possible to make mistakes and end up with a broken implementation. This presentation will show some common OAuth2/OIDC security pitfalls and why it is bad practice to use reverse proxy catch-all routing in your BFF, an OAuth2 client with access to many scopes, together with APIs that do authorization based on just a valid token and scopes. Does your BFF enable authenticated SSRF as a Service? During the presentation we will demonstrate both attacks and defences for a OAuth2/OIDC application running locally.
Pontus Hanssen in an experienced security researcher and penetration tester. He loves to hack everything that blinks or has an IP address. Pontus performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security.
Tobias Ahnoff is an experienced developer and architect with focus on application security. He specializes in implementing authentication flows and authorization for web applications and APIs that manage sensitive data. Tobias performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security. He also gives courses in application security and is an appreciated speaker in OAuth2 and OpenID Connect areas.

18:30 - 19:15: Food

19:15 - 20:00: Pentesting War Stories
Working in penetration testing generates quite a few interesting stories
about spectacular vulnerabilities found in tested systems.
Often these stories are not shared outside of a small circle of people.
This presentation goes through a selection of vulnerabilities found
during assignments in the recent years. The titles of the stories are:
“The omnipotent client cert” (automotive app), “Next level XSS“ (web),
No route to boat” (network), and ”Having a conversation with a door
handle" (embedded).
Emilie Barse is an experienced IT security consultant with a deep
interest in security testing and log analysis. She has worked in IT
security since 2005 and has worked in numerous different industries, and has tested applications, networks, cloud environments, IoT systems, and cars. Emilie has a PhD in computer security from Chalmers University of Technology.

20:00 - 21:30: Over-time (optional)
Hang out, grab something to drink, and discuss security, the weather or anything in between!

Photo of OWASP Gothenburg Chapter group
OWASP Gothenburg Chapter
See more events
Rosenlundsgatan 3
Rosenlundsgatan 3 · Göteborg