We offer web security trainings for primarily two target audiences: First, developers who want to learn about web application security, Single Sign-On, TLS, XML, and web service technologies. Second, penetration testers who want to get an in-depth knowledge about web security. Our discussed topics are both known, and also usually unknown attacks, along with their countermeasures. Furthermore, we go into detail regarding solutions to automate security tests.

Single Sign-On (SSO) protocols are one of the most important Internet technologies and are used by countless applications. They allow the registration and login process to be simple for users as possible, and enable applications to be connected to social networks. Although OAuth and OpenID Connect are established as today's common standards, serious attacks on SSO protocols have been discovered within recent years. These attacks exploit the complexity of the underlying standards and implementation flaws, and allow attackers to authenticate themselves as arbitrary users or to access confidential user data. By doing so, attackers can potentially read, manipulate, or delete data of arbitrary users across these applications.

In this training, we give a detailed overview of the Single Sign-On concept and enhance the knowledge of the participants in the application of the established standards OAuth and OpenID Connect. Using examples, numerous attacks are presented and discussed with the participants in detail. In order to gain the best possible understanding, the participants are given the opportunity to execute various attacks themselves in a virtual machine prepared by us. Different tools for the analysis of SSO procedures will be presented and used afterward. The virtual machine is usable offline and can be used for further internal education of the participants after the training. Finally, techniques and concepts to strengthen the security of SSO procedures and to prevent the well-known attacks are discussed.

Due to the critical role that Single Sign-On fulfills in applications nowadays, it is essential to understand and address the problems of these technologies in detail. The training will address the following questions, among others:

  • When should I use OAuth rather than OpenID Connect?
  • What are the differences between the various OpenID Connect flows?
  • Which attacks exist on SSO flows and how can they be prevented?

It is also possible to extend this training to 3 days by going more in depth with the topics or by adding SAML into the learning program.

Training Contents:

  • Introduction to Single Sign-On
  • OAuth and OpenID Connect Flows
    • Code Flow
    • Implicit Flow
    • Hybrid Flow
  • Generic Attacks on SSO Procedures
    • XSS, Clickjacking, CSRF, Open/Covert Redirects
  • First OAuth- and OpenID Connect-specific Attacks
  • ID Token
    • Details & Attacks
  • Single-Phase Attacks
    • ID Spoofing Attacks
    • Signature Bypasses
  • Cross-Phase Attacks
    • Issuer Confusion
    • Malicious Endpoint Attacks
    • IdP Confusion
  • Further Technologies
    • Device Flow, Native Apps & PKCE
  • Secure Token Bindings
    • Mutual TLS
    • Holder-of-Key

Requirements: This training is designed for primarily two target audiences:

  1. Developers who wish to use single sign-on protocols based on OAuth and OpenID Connect in a practical manner.
  2. Penetration testers and security researchers who want to learn how to evaluate the security of single sign-on protocols which are based on OAuth and OpenID Connect.

Example: 15 Slides
Flyer: Single Sign-On Security: OAuth & OpenID Connect

Contact: Dr. Christian Mainka