OAuth 2.0 for Hackers (Part 2): How to Hack With Insecure OAuth 2 Endpoints

part 1:    • OAuth 2.0 for Hackers (Part 1): Easy Guide...   OAuth 2.0 for Hackers (Part 2): How to Hack With Insecure OAuth 2 Endpoints Easy Guide to Understanding the Basics in OAuth 2 with OIDC In part 1, we visited an overview of the OAuth 2 in 2024 ( Open Authorization Framework ) process and how it works from a technology perspective, using OpenID Connect (OIDC). In this video, we go over OAuth 2.0 Grant Types, and how to approve OAuth as an ethical hacker. Additionally, we can see how to ensure that OAuth is secured (by doing things like including a "State" parameter. It is important to note that there are other API protection considerations when dealing with OAuth that are not mentioned in this video, but can be viewed with OAuth service provider documentation and api best practices. This video covers the following OAuth related topics: Grant Types Client ID vs Access Tokens Recon 2 Labs utilizing CSRF with explanations ----------------------------------------------------------------- Timestamps: 0:00 Introduction 0:55 Grant Type(s) 1:32 Authorization Code Grant 2:23 PKCE Grant (Proof Key for Code Exchange) 3:16 Password Code Grant 3:33 Client Credentialed Access 4:17 Device Code Grant 4:44 Refresh Tokens 7:29 Implicit Grant 9:02 Client ID Tokens vs Access Tokens 9:59 Recon on OAuth 17:12 OAuth lab 1 23:51 How the attack in Lab 1 works 27:19 OAuth Lab 2 (crashed the lab server lol!) 32:04 Broken Lab 2 explanation 32:50 Conclusion ----------------------------------------------------------------- Socials: Linkedin:   / vankperry   Discord: @vipv4 ----------------------------------------------------------------- Join our community!   / discord