Faulty Authentication in OAuth2 Implementation of a Website Framework #18
Description
I propose to write a case study about Improper Authentication in OAuth2 Implementations of Web Application Frameworks CWE-287, which is a common vulnerability and highly impactful vulnerability that happens when the developers incorrectly implement or partially check OAuth2 authorization processes. OAuth2 is used to provide the access to the login in many web and the mobile applications, but small coding mistakes like not verifying the token signature, not verifying the issuer or incorrectly configured redirect URIs may result in the attackers bypassing authentication and compromising user data. In this case study, the real-life instances of such flaws resulting in account takeovers and data disclosure will be examined and it will be revealed that the design choices and weak defaults contributed to the problem. The main importance will be placed on the systemic prevention measures which includes the full token validation with trusted libraries, Proof Key for Code Exchange (PKCE) with public clients, redirect URIs whitelisting (securely) and automated security testing of OAuth flows. The idea is to enable the developers, architects and security engineers to learn how to design authentication mechanisms that are robust, verifiable and virtually indefinite against such typical errors in their implementation.
References:
https://cwe.mitre.org/data/definitions/287.html
https://www.cise.ufl.edu/~butler/pubs/dimva15.pdf
https://www.researchgate.net/publication/276397514_Security_evaluation_of_the_OAuth_20_framework