OAuth is an emerging open-web specification for a growing number of organizations to access protected resources on each other's web sites. This presentation is a focused study of this user-centric Identity technology and its security weaknesses. We will present concise scenarios of how insecure implementations of this protocol can be abused maliciously. We examine the characteristics of some of these attack vectors, with real-world examples, and discuss tips on secure implementation and countermeasures.
Khash Kiani is a security consultant with over 13 years of experience in building and securing software applications for large defense, insurance, retail, technology, and health care organizations. He specializes in application security integration, penetration testing, and social-engineering assessments. Khash currently holds the GIAC GWAPT, GCIH, and GSNA certifications. He can be reached at khash@thinksec.com