Going Against the Flow: How to Build and Break OAuth 2.0


Be it an API, web service or mobile application – by now OAuth 2.0 has become the most commonly used standard when it comes to granting access to protected resources to third-party applications. Over time, additional security controls and flow types have been introduced to meet the needs related to different authorization scenarios. Although built for security purposes, the OAuth protocol still leaves us with some backdoors for exploitation if they were not properly closed during implementation.

This workshop aims to shed more light on the inner workings of OAuth 2.0. Following a hands-on approach, we will first build our own OAuth environment and then start breaking it. By the end of this workshop, you will not only be able to tell all kinds of tokens apart but know how to spot and target OAuth in the wild.

Claudia Ully

Claudia works as penetration tester at NVISO where she focuses on web and mobile application security. Apart from spotting vulnerabilities in applications, she enjoys helping and training developers and IT staff to better understand and prevent security issues.


Dominik Holzapfel

Dominik is a Penetration Tester at NVISO, where he is the Solution Lead for Web Applications.