Single Sign-On (SSO) protocols are one of the most important Internet technologies and are used by countless applications. They allow the registration and login process to be simple for users as possible, and enable applications to be connected to social networks. Although OAuth and OpenID Connect are established as today's common standards, serious attacks on SSO protocols have been discovered within recent years. These attacks exploit the complexity of the underlying standards and implementation flaws, and allow attackers to authenticate themselves as arbitrary users or to access confidential user data. By doing so, attackers can potentially read, manipulate, or delete data of arbitrary users across these applications.
In this training, we give a detailed overview of the Single Sign-On concept and enhance the knowledge of the participants in the application of the established standards OAuth and OpenID Connect. Using examples, numerous attacks are presented and discussed with the participants in detail. In order to gain the best possible understanding, the participants are given the opportunity to execute various attacks themselves in a virtual machine prepared by us. Different tools for the analysis of SSO procedures will be presented and used afterward. The virtual machine is usable offline and can be used for further internal education of the participants after the training. Finally, techniques and concepts to strengthen the security of SSO procedures and to prevent the well-known attacks are discussed.
Due to the critical role that Single Sign-On fulfills in applications nowadays, it is essential to understand and address the problems of these technologies in detail. The training will address the following questions, among others:
- When should I use OAuth rather than OpenID Connect?
- What are the differences between the various OpenID Connect flows?
- Which attacks exist on SSO flows and how can they be prevented?
It is also possible to extend this training to 3 days by going more in depth with the topics or by adding SAML into the learning program.
If you are looking for a first introduction to Single Sign-On and the OAuth and OpenID Connect standards, take a look at our introductory training on this topic. The introductory training is not a requirement for participating in this training.
Possible Training Contents:
- Introduction to Single Sign-On
- OAuth and OpenID Connect Flows
- Code Flow
- Implicit Flow
- Hybrid Flow
- Generic Attacks on SSO Procedures
- XSS, Clickjacking, CSRF, Open/Covert Redirects
- First OAuth- and OpenID Connect-specific Attacks
- ID Token
- Details & Attacks
- Single-Phase Attacks
- ID Spoofing Attacks
- Signature Bypasses
- Cross-Phase Attacks
- Issuer Confusion
- Malicious Endpoint Attacks
- IdP Confusion
- Further Technologies
- Native Apps and Single Page Applications (SPAs)
- Device Grant
- Secure Token Bindings
- Mutual TLS
Requirements: This training is designed for primarily two target audiences:
- Developers who wish to use single sign-on protocols based on OAuth and OpenID Connect in a practical manner.
- Penetration testers and security researchers who want to learn how to evaluate the security of single sign-on protocols which are based on OAuth and OpenID Connect.
For your participation all you need is a computer, as well as virtualization software for working on the practical exercises; we recommend VirtualBox. For optimal sound quality, we recommend using a headset.
Fixed dates for online training courses
In addition to the possibility of booking this training individually for your team, it is possible to register for one of our fixed dates. The next date for this online training is 17.11. - 18.11.2021. This training will be held in German.
Registration: Registration for the online training courses is via email to Dr. Christian Mainka and is possible until Wednesday, 03.11.2021.
- Date: Thursday and Friday, 17.11. - 18.11.2021
- Time: each day from 09:00 to 17:00
- Duration: 2 days, 8 hrs. per day (incl. breaks)
- Total price: 1.300€ plus VAT (per person)
- Registration: by email to Dr. Christian Mainka
- Registration deadline: Wednesday, 03.11.2021
- Note: This training will be held in German.
- Note: We reserve the right to cancel the training if there are less than 5 participants. A possible cancellation will be communicated at least one week before the training date.
Your Contact for This Training
Dr. Christian Mainka