Authentication mechanisms are considered to be the most sensitive part of any application and yet they seem to be some of the most prone for implementation errors. In this session, the security researcher will discuss how he broke the authentication mechanisms for some of the biggest applications in the world (Uber, Yahoo, Twitter, etc.). He will present advanced practical ways of exploiting SSO mechanisms such as SAML and OAuth, as well as user invitations and password reset mechanisms.
In the second part of this session we will examine how CSP(Content Security Policy) helped fixing one of the vulnerabilities and we will elaborate about the various security-related HTTP security headers described by The Internet Engineering Task Force (IETF).
A security researcher from GE Digital will discuss what each one of these headers does to help augment web application security and under what circumstances they could be bypassed by a clever adversary.
Attendees could perform the learnt attacks on a pre-configured environment during the workshop.
