Скачать или смотреть OAuth-some Security Tricks: Yet more OAuth abuse

Abstract:
Join in this deep dive looking at new abuses of OAuth 2.0. We'll look at a variety of attacks including phishing and stolen credential attacks, starting with Microsoft authorization code grant to Google authorization code grant using copy/paste. We'll then move on to new attacks including: OWA browser attacks, Chrome attacks, different SaaS OAuth implementations, upstream SSO attacks, and hidden uses of OAuth in Google App Scripting and Google Cloud Shell.
In a nod to Penn and Teller, with each attack, we'll reveal the underlying secret techniques used, why and how it works, and what can be generalized. We'll then show how the most common defensive measures (e.g. MFA, IP allow lists, application allow lists, authorization controls) are used to mitigate each attack, then adjust the attack to bypass the defensive measure. We'll also discuss what vendors have been doing to mitigate these attacks and whether they are effective.
Code for any demo/POCs will be made available as open-source.

Speaker Details:
Jenko Hwong is a Principal Researcher on Netskope's Threat Research Team, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.