Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/b1narygl1tch/awesome-oauth-sec

OAuth2.0 and OpenID from an information security perspective
https://github.com/b1narygl1tch/awesome-oauth-sec

List: awesome-oauth-sec

bugbounty information-security infosec oauth2 security

Last synced: about 1 month ago
JSON representation

OAuth2.0 and OpenID from an information security perspective

Host: GitHub
URL: https://github.com/b1narygl1tch/awesome-oauth-sec
Owner: b1narygl1tch
Created: 2022-02-13T09:40:27.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2023-04-04T13:59:40.000Z (almost 2 years ago)
Last Synced: 2024-05-30T20:19:16.145Z (8 months ago)
Topics: bugbounty, information-security, infosec, oauth2, security
Homepage:
Size: 65.4 KB
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

ultimate-awesome - awesome-oauth-sec - Awesome OAuth security: OAuth2.0 and OpenID from an information security perspective. (Other Lists / Monkey C Lists)

README

        # Awesome OAuth2.0 and OpenID Connect Security

OAuth2.0 and OpenID from an information security perspective.

## Specifications

[The OAuth 2.0 Authorization Framework (RFC 6749)](https://datatracker.ietf.org/doc/html/rfc6749)  

[OAuth 2.0 Threat Model and Security Considerations (RFC 6819)](https://datatracker.ietf.org/doc/html/rfc6819)

## Articles

[OAuth 2 Simplified](https://aaronparecki.com/oauth-2-simplified/)  

[OAuth 2.0](https://oauth.net/2/)  

[Diagrams And Movies Of All The OAuth 2.0 Flows](https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85)  

[Which OAuth 2.0 Flow Should I Use?](https://auth0.com/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use)  

[Publications about OAuth & OIDC by Daniel Fett](https://danielfett.de/publications/)

## OpenID Connect

[OpenID Connect](https://openid.net/connect/)  

[Understanding ID Token](https://darutk.medium.com/understanding-id-token-5f83f50fa02e)  

[Inclusion Relation among JWS, JWE, JWT, ID Token and Access Token](https://darutk.medium.com/inclusion-relation-among-jws-jwe-jwt-id-token-and-access-token-a99312fc1ad4)  

[[pdf] OpenID Connect Security Considerations](https://www.nds.ruhr-uni-bochum.de/media/ei/veroeffentlichungen/2017/01/13/OIDCSecurity_1.pdf)  

[OpenID Specifications](https://openid.net/developers/specs/)

## Cheatsheets

[OAuth 2.0 Threat Model Pentesting Checklist](https://securityhubs.io/oauth2_threat_model)  

[Hack3rScr0lls OAuth2.0 attacking mindmap](https://twitter.com/hackerscrolls/status/1269266750467649538)  

[OAuth to Account takeover](https://book.hacktricks.xyz/pentesting-web/oauth-to-account-takeover)  

[OAuth 2.0 Vulnerabilities](https://0xn3va.gitbook.io/cheat-sheets/web-application/oauth-2.0-vulnerabilities)  

[OpenID Connect Vulnerabilities](https://0xn3va.gitbook.io/cheat-sheets/web-application/oauth-2.0-vulnerabilities/openid-connect)  

[OAuth by Sakurity](http://sakurity.com/oauth)  

[OAuth 2.0 Security Cheat Sheet (by Koen Buyens)](https://github.com/koenbuyens/oauth-2.0-security-cheat-sheet)  

[OAuth to Account takeover](https://book.hacktricks.xyz/pentesting-web/oauth-to-account-takeover)

## Laboratories / Learning Materials

[OAuth 2.0 authentication vulnerabilities (PortSwigger)](https://portswigger.net/web-security/oauth)  

[Damn Vulnerable OAuth 2.0 Applications](https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications)  

[HackTheBox Oouch machine (retired)](https://app.hackthebox.com/machines/231)  

[Spring Security OAuth2 Remote Command Execution Vulnerability (CVE-2016-4977)](https://github.com/vulhub/vulhub/tree/f8f0268746f22ec1437a8aee67f7e7ba1bfba86f/spring/CVE-2016-4977)  

[PentesterLab Pro Exercises (filter by "OAuth")](https://pentesterlab.com/exercises)

## HackerOne Reports

[Top OAuth reports from HackerOne](https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPOAUTH.md)  

[#317476 Account takeover in Periscope TV (Host header poisoning)](https://hackerone.com/reports/317476)

## Bug Bounty Writeups

[Bypassing GitHub's OAuth flow](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html)  

[Traveling with OAuth - Account Takeover on Booking.com](https://salt.security/blog/traveling-with-oauth-account-takeover-on-booking-com)  

[Multiple bugs chained to takeover Facebook Accounts which uses Gmail](https://ysamm.com/?p=763)

## CTF Writeups

[[video] HackTheBox - Oouch (by IppSec)](https://www.youtube.com/watch?v=EUtqjK27MxQ)  

[Hacktivity'20 Notes Surfer task](https://github.com/gr455/ctf-writeups/blob/master/hacktivity20/notes_surfer.md)

## Attacking OAuth

[[video] How to Hack OAuth by Aaron Parecki](https://www.youtube.com/watch?v=tbu4CfzP25o)  

[Egor Homakov's OAuth blogposts](http://homakov.blogspot.com/search?q=oauth)  

[Common OAuth issue you can use to take over accounts](https://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/)  

[The Most Common OAuth2 Vulnerability](http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html)  

[Hidden OAuth attack vectors](https://portswigger.net/research/hidden-oauth-attack-vectors)  

[Account hijacking using "dirty dancing" in sign-in OAuth-flows](https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/)  

[Salt Labs exposes a new vulnerability in popular OAuth framework Expo, used in hundreds of online services](https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundreds-of-online-services)

## Securing OAuth

[Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters](https://auth0.com/docs/secure/attack-protection/state-parameters)  

[How to prevent OAuth authentication vulnerabilities](https://portswigger.net/web-security/oauth/preventing)  

[OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics)  

[API Security Checklist (OAuth)](https://github.com/shieldfy/API-Security-Checklist#oauth)

## Tools / Applications / Scripts

[Jwtear](https://github.com/KINGSABRI/jwtear) - A modular command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.

## Playgrounds

[OAUTH.TOOLS](https://oauth.tools/)  

[Google OAuth 2.0 Playground](https://developers.google.com/oauthplayground/)  

[OAuth.com Playground](https://www.oauth.com/playground/)

## JWT (JSON Web Token) Security

[Attacking JWT authentication](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)  

[Practical Approaches for Testing and Breaking JWT Authentication](https://mazinahmed.net/blog/breaking-jwt/)  

[reddit discussion about "Practical Approaches for Testing and Breaking JWT Authentication"](https://www.reddit.com/r/netsec/comments/dn10q2/practical_approaches_for_testing_and_breaking_jwt/)

## Books

[Books about OAuth 2.0 (by oauth.net)](https://oauth.net/books/)  

[Advanced API Security: OAuth 2.0 and Beyond (2nd edition)](https://www.amazon.com/Advanced-API-Security-Definitive-Guide/dp/1484220498)  

[API Security in Action](https://www.manning.com/books/api-security-in-action)  

[OAuth 2.0: Getting Started in Web-API Security](https://www.amazon.com/OAuth-2-0-Getting-Security-University/dp/1507800916)