Krishna Chaitanya Telikicherla

Krishna Chaitanya Telikicherla

Senior Security Engineer at Microsoft

Krishna Chaitanya Telikicherla is a Senior Security Engineer at Microsoft and a member of the Azure EDG (Edge+Platform, Devices, and Gaming) SERPENT team. He specializes in Application Security and performs security assessments against Azure EDG software products and services. He is passionate about discovering and eliminating code-level vulnerabilities at scale, and loves exploring security and identity controls of cloud services. Krishna blogs at and tweets as @novogeek.

Presentation Abstract

Common Vulnerabilities in Modern Auth Implementations

Enterprises often leverage the modern authentication protocols - OpenId Connect and OAuth - to secure their cloud-based web apps and web APIs. Most enterprises rely on established cloud-based identity providers and their respective authentication libraries to abstract protocol-level complexities and promote secure defaults. However, certain unintentional/less obvious implementation mistakes made by developers result in vulnerabilities that can be exploited with ease.

This session showcases a few common vulnerabilities we’ve found during some of our AppSec pentests across Microsoft. These are all real exploitable, fixed vulnerabilities that have been anonymized. We have also found similar antipatterns exhibited in external blogs and discussion forums. The demos used in this session leverage Azure Active Directory as the identity provider and ASP.NET as the relying party. However, the key takeaways are generic and are applicable to broader tech stacks.

The key concepts covered in the talk are as follows: * Quick overview of modern auth * Key scenarios with demos ** Who can request tokens? *** Unauthorized access to guests ** Where should the tokens be sent? *** Token theft via unclaimed reply URLs ** Is the token’s integrity intact? *** Elevating access by tampering tokens ** Is the token issued by a tenant I trust? *** Replaying tokens issued by arbitrary tenants ** Is the token meant for my API? *** Replaying tokens issued to arbitrary APIs in the tenant * Q&A