Below you will find pages that utilize the taxonomy term “OpenID Connect”
SSO Gadgets: Escalate (Self-)XSS to ATO
With the rise of Single-Sign-On (SSO) and especially OAuth 2.0 and OpenID Connect (OIDC), the attack surface of web applications has increased significantly. In this post, I will show how to escalate a Cross-Site Scripting (XSS) vulnerability to an Account Takeover (ATO) by abusing OAuth2/OIDC gadgets and how to prevent such attacks.
Flickr Account Takeover
This post gives a deep dive into a critical security flaw that was present in Flickr’s login flow.
The authentication at identity.flickr.com is implemented using AWS Cognito. By exploiting configuration issues and violations of the OpenID Connect specification, it was possible to takeover any Flickr account without user interaction.
TikTok Careers Portal Account Takeover
The following (slightly modified) vulnerability report was sent to TikTok using Hackerone on 17th October 2020 and was resolved within 12 days.
Real-life OIDC Security (VII): Responsible Disclosure
This is the final post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, Responsible Disclosure processes with five vendors and maintainers of popular OpenID Connect implementations are outlined. We reported vulnerabilities and security issues in Amazon Cognito, Bitbucket Server, GitLab, Keycloak, and Salesforce.
Real-life OIDC Security (VI): Reusable state leads to DoS Amplification
This is the sixth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the missing requirement of the state
value within the OpenID Connect Core specification leads to real-life security issues. Namely, the Denial-of-Service Amplification attack is introduced with CVE-2020-14302 (Keycloak) as an example.
Real-life OIDC Security (V): Redirect URI
This is the fifth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the vague specification of the Redirect URI within the OpenID Connect Core specification leads to real-life security issues. Finally, we show a real-world example of such an issue with CVE-2020-10776 (Keycloak) as an example.
Real-life OIDC Security (IV): Server-Side-Request-Forgery
This is the fourth post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, SSRF vulnerabilities that were discovered in popular OIDC implementations (Keycloak (CVE-2020-10770) and Amazon Cognito) are explained in detail.
Real-life OIDC Security (III): CRLF Injections
This is the third post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, a more common CRLF injection in the context of OIDC is discussed in detail. We present issues discovered in GitLab (Severity: High - Critical) and Bitbucket Server (Severity: Informative - Low).
Real-life OIDC Security (II): Login Confusion
This is the second post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, the novel Login Confusion attack is described in detail. We use Bitbucket Server as an example.
CVE-2020-13294
The following (slightly modified) advisory was sent to GitLab using Hackerone on 19th June 2020.
Real-life OIDC Security (I): Overview
This is the first post of a series on Single Sign-On and OpenID Connect 1.0 security. This post presents a high-level overview of observed issue patterns during my research on real-life OIDC security and proposes additions to the specification’s security considerations.