OAuth 2.0 Threat Model Pentesting Checklist

The following is a checklist we are using usefull during an OAuth 2.0 Penetration Testing engagement.

May 25, 2021
  • Oauth2
  • Pentest Checklist
Oauth 2.0 Pentest Checklist

WORD AHEAD


This is a simplified visual alternative to IETF OAuth 2.0 Security Best Current Practice publication combined with various other public resources we found usefull.

Overall, we are using this checklis as part of our engagements when testing for Oauth2 implementations.

CHECKLIST















Other Security Considerations



Client App Security



Resource Servers




OAUTH2.0 PENTEST CHECK LIST MINDMAP - INSANE QUALITY IMAGE


[*] Download picture

OAUTH2.0 PENTEST CHECK LIST MINDMAP - CHERRY TREE IMPORTABLE VERSION


[*] Download file

ACKNOWLEDGEMENTS | REFERENCES | RESOURCES


- https://tools.ietf.org/id/draft-lodderstedt-oauth-security-01.html
- https://tools.ietf.org/id/draft-ietf-oauth-security-topics-15.html
- https://www.google.com/search?q=oauth2+site%3Ahackerone.com&newwindow=1
- https://pentesterlab.com/exercises/
- https://developer.okta.com/blog/2019/03/12/oauth2-spring-security-guide
- https://www.giuspen.com/cherrytree/


Stay in the loop

Join our newsletter to get top security news before anyone else.