Make the world a safer place Menu

Talk

Getting developers to follow standards is easy, and other lies we tell ourselves

In June 2023, Descope published research on nOAuth, a critical OpenID Connect implementation flaw that enables user account takeover in vulnerable applications. Following the disclosure, Microsoft and the Microsoft Security Response Center (MSRC) published articles on this issue, highlighting common anti-patterns and their follow-up actions with impacted application owners.

Fast forward to the fall of 2024, and nOAuth remains an active security threat. In this session, we will explore its persistence, unveiling new research that builds upon Descope’s original findings to identify additional implementation flaw patterns and methods for staging the abuse. We will also discuss how we uncovered vulnerable applications, the varying responses from developers, and what this means for securing modern SaaS applications.

Attendees will leave with a deeper understanding of how nOAuth attacks work, real-world examples of its exploitation, and actionable strategies to mitigate this critical risk.

In June 2023, Descope published research on nOAuth, a critical OpenID Connect implementation flaw that enables user account takeover in vulnerable applications. Following the disclosure, Microsoft and the Microsoft Security Response Center (MSRC) published articles on this issue, highlighting common anti-patterns and their follow-up actions with impacted application owners.

Fast forward to the fall of 2024, and nOAuth remains an active security threat. In this session, we will explore its persistence, unveiling new research that builds upon Descope’s original findings to identify additional implementation flaw patterns and methods for staging the abuse. We will also discuss how we uncovered vulnerable applications, the varying responses from developers, and what this means for securing modern SaaS applications.

Attendees will leave with a deeper understanding of how nOAuth attacks work, real-world examples of its exploitation, and actionable strategies to mitigate this critical risk.

About the Speaker