Systematically Breaking and Fixing OpenID Connect
Offered By: OWASP Foundation via YouTube
Course Description
Overview
Explore a comprehensive analysis of OpenID Connect security vulnerabilities and their solutions in this conference talk from AppSecEU 2016. Delve into the differences between OAuth and OpenID Connect, understanding the three-party system and dynamic solutions involved. Examine various attack vectors, including single-phase attacks, replay attacks, and IDP confusion attacks, along with their corresponding countermeasures. Learn about malicious endpoint attacks and out-of-service scenarios through practical demonstrations. Gain insights from security experts as they discuss current states of OpenID Connect implementation and provide a summary of key findings to enhance your understanding of this authentication protocol's security landscape.
Syllabus
Introduction
Three simple questions
The plan
OAuth vs OpenID Connect
OpenID Connect
Three parties
This face
Dynamic solution
ID token
Parameters
Attacks
Threat Model
Categories
Attacker Identity Provider
Single Phase Attacks
Another Attack
Replay Attacks
Supported Values
Singlephase attacks
Crossphase attacks
Endpoints
IDP Confusion Attack
Countermeasure
Malicious Endpoint Attacks
Out of Service
Demo
Professors
Tobias works
IDPs
Switch
Current State
Summary
Taught by
OWASP Foundation
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network