filmov
tv
Cross-Tenant Request Forgery Attack in Multi-Tenancy Environments - Albert Yu & Alan Bishop
Показать описание
Unveiling the Cross-Tenant Request Forgery Attack in Multi-Tenancy Environments
Description
To build a SaaS application platform, most platform owners rely on integrations with more popular ecosystems such as Microsoft Azure, Google Workspace, Okta, Github, Atlassian Jira, etc. The industry has moved towards open standards like OAuth for access delegation, but there are several flavors (e.g. 3LO, 2LO, SPA) of OAuth and each flavor works in different scenarios. Some API access mandates a particular flavor of OAuth.
What's adding to the complexity here is that most platform owners are going to support more than one customer, aka multi-tenancy. Our research has uncovered significant challenges and potential security vulnerabilities that arise when implementing 2LO (either via Client Credential or JWT bearer) in a multi-tenancy environment. Once exploited, attackers can compromise another tenant who co-exists in the same platform and get their data without getting noticed. Given the difficulty of implementing the solution correctly with the right usability, we believe there is a lot of misimplementation lurking wildly.
We call the attack "Cross-Tenant Request Forgery". Our goal is to make developers aware of this kind of vulnerability, and discuss the remediations in different scenarios. And, for some cases, the remediations are vendor specific.
Albert Yu
Co-Founder and CTO, Anzenna Inc.
Albert has been a lifelong security practitioner and has been building security infrastructure for 20+ years. Most recently Albert was building GCP security infrastructure at Google. Before Google, Albert was at Atlassian and Yahoo! (US), building security platforms and infrastructures. Prior to that, he built the security engineering program for Yahoo! (APAC). Albert has a PhD in Computer Science from the University of Hong Kong. Now Albert is a co-founder of Anzenna Inc, aiming at making security as a habit for employees.
Alan Bishop
lead software developer, Anzenna, Inc
Alan Bishop is a lead software developer at Anzenna, Inc., a startup focused on scaling security in the enterprise across the entire organization. Although primarily a backend software engineer these days, Alan has been finding and reporting security bugs since the 1980s. He is mostly focused on web application security, with extra attention on authentication and identity issues.
-
Managed by the OWASP® Foundation
Description
To build a SaaS application platform, most platform owners rely on integrations with more popular ecosystems such as Microsoft Azure, Google Workspace, Okta, Github, Atlassian Jira, etc. The industry has moved towards open standards like OAuth for access delegation, but there are several flavors (e.g. 3LO, 2LO, SPA) of OAuth and each flavor works in different scenarios. Some API access mandates a particular flavor of OAuth.
What's adding to the complexity here is that most platform owners are going to support more than one customer, aka multi-tenancy. Our research has uncovered significant challenges and potential security vulnerabilities that arise when implementing 2LO (either via Client Credential or JWT bearer) in a multi-tenancy environment. Once exploited, attackers can compromise another tenant who co-exists in the same platform and get their data without getting noticed. Given the difficulty of implementing the solution correctly with the right usability, we believe there is a lot of misimplementation lurking wildly.
We call the attack "Cross-Tenant Request Forgery". Our goal is to make developers aware of this kind of vulnerability, and discuss the remediations in different scenarios. And, for some cases, the remediations are vendor specific.
Albert Yu
Co-Founder and CTO, Anzenna Inc.
Albert has been a lifelong security practitioner and has been building security infrastructure for 20+ years. Most recently Albert was building GCP security infrastructure at Google. Before Google, Albert was at Atlassian and Yahoo! (US), building security platforms and infrastructures. Prior to that, he built the security engineering program for Yahoo! (APAC). Albert has a PhD in Computer Science from the University of Hong Kong. Now Albert is a co-founder of Anzenna Inc, aiming at making security as a habit for employees.
Alan Bishop
lead software developer, Anzenna, Inc
Alan Bishop is a lead software developer at Anzenna, Inc., a startup focused on scaling security in the enterprise across the entire organization. Although primarily a backend software engineer these days, Alan has been finding and reporting security bugs since the 1980s. He is mostly focused on web application security, with extra attention on authentication and identity issues.
-
Managed by the OWASP® Foundation
0:51:28
0:33:04
0:01:32
0:01:50
0:54:13
0:09:15
0:35:17
0:31:48
0:09:35
0:29:43
0:57:18
0:28:23
0:58:55
0:49:25
0:01:58
0:29:43
0:39:42
0:04:32
0:01:26
0:37:19
0:49:52
0:36:47
0:22:46
0:34:40