Purple Team

CRW07 Exploiting Token Based Authentication: Attacking and Defending Identities in the 2020s

11/20/2024

4:00pm - 5:15pm

Level: Intermediate to Advanced

Nestori Syynimaa

Principal Identity Security Researcher

Microsoft

Token-based authentication has been out there for over twenty years now. It enabled authenticating to Service Providers (SPs) without sending them usernames and passwords over the network. Token-based authentication is based on trust in an Identity Provider (IdP), which creates tokens to be consumed by SPs.

Technically, the trust is implemented using cryptography. The tokens are either signed or encrypted using symmetric or asymmetric cryptography or a combination of them. There are at least two techniques to exploit token-based authentication: stealing tokens (aka token-replay) and forging tokens. MITRE has categorized these attacks as T11134/001 and T1606, respectively. Regardless of the technical implementation of the token-based authentication (Kerberos, SAML, OAuth, etc.), the latter requires getting access to used cryptographic secrets.

In this demo-packed session, I will cover both token-based authentication attack techniques. First, you will learn how adversaries conduct token-replay attacks and how to protect against them. Second, you will learn how adversaries are forging tokens to impersonate users, how to detect the exploitation, and how to prevent it.

You will learn:

  • How the modern token-based authentication works
  • How adversaries conduct token-based authentication attacks
  • How to detect and prevent token-based authentication attacks