02-27, 10:00–10:30 (UTC), Kaldalón
We present and discuss Audience Injection Attacks on signature-based client authentication, in which an honest client is tricked into providing the attacker with a valid client credential for an honest authorization server.
As part of a recent formal analysis of an OAuth/OIDC-based protocol, we discovered Audience Injection Attacks, a new class of vulnerabilities affecting asymmetric signature-based client authentication. These attacks exploit weaknesses in client authentication to trick an honest client into generating a client assertion that is valid for an honest authorization server—allowing the attacker to impersonate the client and access user resources. In this talk, we present simple instances of audience injection attacks, analyze their root cause, and discuss how they can—and cannot—be mitigated.
Web and Identity Protocols Security Researcher