OAuch: Analyzing the Security Best Practices in the OAuth 2.0 Ecosystem
by Pieter Philippaerts
OAuch is a security testing framework for OAuth 2.0 implementations. OAuth 2.0 implementations are semi-automatically tested using a large set of security-related tests. The tests are based on the requirements put forth by the original OAuth 2.0 specification, as well as several other documents that refine the security assumptions and requirements. OAuch also includes test sets specific to OpenID Connect (OIDC) and Financial-grade APIs.
OAuch computes an overall score that gives an indication of how well the tested sites adheres to the security requirements of the standards. Vulnerabilities that are found or countermeasures that are missing in the implementation all contribute to a lower score. The impact of a failed test case on the resulting score depends on the requirement level as specified by the standard. For example, a missing countermeasure that is denoted as a 'MUST' in the standard will negatively impact the score more than a missing 'SHOULD' countermeasure.
In addition to the score, the framework also generates a report with information about the failed test cases. This includes a description of each test case, a link to the (section in the) relevant standard, and a detailed log of the test. The log contains raw data such as HTTP requests and decoded JWT tokens, and allows the owner of the service to reconstruct the test.
It is important to note that OAuch is a testing framework that tests compliance with the OAuth 2.0 specification. Although it focuses on security, a failed test does not necessarily imply that a vulnerability exists in the implementation. Hence, it should not be seen as a vulnerability scanner. That said, failed tests do indicate weak points in the implementation that may be exploitable. As such, an attacker could use OAuch to quickly determine which attack vectors (s)he should focus on.
This talk presents the OAuch test framework. We will also give a first look at the results of our analysis of the OAuth/OIDC ecosystem, where we test a number of high-profile implementations and providers.