同意与妥协：滥用Entra OAuth以获取娱乐和访问内部Microsoft应用程序.pdf

《同意与妥协：滥用Entra OAuth以获取娱乐和访问内部Microsoft应用程序.pdf》由会员分享，可在线阅读，更多相关《同意与妥协：滥用Entra OAuth以获取娱乐和访问内部Microsoft应用程序.pdf（110页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsConsent&CompromiseConsent&CompromiseAbusing Entra OAuth for Fun and Access to Internal Microsoft ApplicationsVaisha Bernard#BHUSA BlackHatEventshttps:/ BlackHatEventsalso meMost talks about cybersecurity are just someone stumbling around#BHUSA BlackHatEventsaka.msaka.ms isalso k

2、nown asalso known asMicrosoft#BHUSA BlackHatEventsaka.ms#BHUSA BlackHatEvents#BHUSA BlackHatEventsaka.ms#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventseng.ms#BHUSA BlackHatEventseng.ms#BHUSA BlackHatEventseng.ms500 Internal Server Error#BHUSA BlackHatEventsrescue.eng.mspassword#BHUSA

3、 BlackHatEvents#BHUSA BlackHatEventsAgenda The Entra ID Identity Platform Previous Research Consent&Compromise Sound Bytes,Questions#BHUSA BlackHatEventsAuthentication vs.Authorization in Entra IDAuthZOAuth 2.0GuardDone afterAccess TokenAuthNOIDCGatekeeperDone firstID Token#BHUSA BlackHatEvents?#BHU

4、SA BlackHatEvents#BHUSA BlackHatEvents?#BHUSA BlackHatEvents#BHUSA BlackHatEventsMicrosoft Identity Platform Also called Identity Provider(IdP)Does Authentication&Authorization#BHUSA BlackHatEventsMicrosoft Identity Platform Also called Identity Provider(IdP)Does Authentication&AuthorizationYour dat

5、aYou#BHUSA BlackHatEventsMicrosoft Identity Platform Also called Identity Provider(IdP)Does Authentication&Authorization Single-Page App Web App Mobile App Desktop App Browserless App Daemon App Web APIYour dataYouRegistered at#BHUSA BlackHatEventsEye AppEye AppApp RegistrationEye AppEnterprise Appl

6、icationEntra Tenant#BHUSA BlackHatEventsApplication Types&Token Grant Flows Single-Page App Web App Mobile App Desktop App Browserless App Daemon App Web API Implicit flow Authorization code flow Resource Owner Password(ROPC)Device code flow Client credentials On-behalf-of flow#BHUSA BlackHatEventsA