OAuth 2.0 is a widely used authorization framework that enables third-party applications to access user resources without exposing credentials. However, like any technology, it is susceptible to various threats. In this post, I’ll walk you through three OAuth Threat Tactics, Techniques, and Procedures (TTPs) that I’ve seen this month and how to detect them using Entra ID logs.

What are TTPs in the context of OAuth?

TTPs, or Threat Tactics, Techniques, and Procedures, are the methods attackers use to exploit OAuth vulnerabilities. Understanding these TTPs is crucial for implementing effective security measures and protecting your applications.

What is authorization code injection?

Authorization code injection is a technique where an attacker intercepts the authorization code returned by the authorization server and uses it to obtain an access token. This allows the attacker to gain unauthorized access to the user’s resources.

How does authorization code injection work?

  1. The attacker tricks the user into visiting a malicious website that looks legitimate.
  2. The malicious site redirects the user to the authorization server with a crafted redirect URI.
  3. The user authenticates and authorizes the malicious site, which receives an authorization code.
  4. The attacker intercepts the authorization code and uses it to request an access token from the authorization server.
  5. The attacker now has access to the user’s resources.

Example of authorization code injection

Here’s a simplified example of how an attacker might attempt to inject an authorization code:

sequenceDiagram participant User participant MaliciousSite participant AuthServer participant ResourceServer User->>MaliciousSite: Visit malicious site MaliciousSite->>AuthServer: Redirect User with crafted URI AuthServer->>User: Authorization page User->>AuthServer: Authenticate and authorize AuthServer->>MaliciousSite: Authorization code MaliciousSite->>AuthServer: Request access token with code AuthServer->>MaliciousSite: Access token MaliciousSite->>ResourceServer: Access user resources

How to detect authorization code injection with Entra ID logs

To detect authorization code injection, monitor Entra ID logs for unusual patterns, such as:

  • Multiple failed token requests from the same IP address.
  • Token requests with suspicious redirect URIs.
  • Unusual spikes in token issuance.

Here’s an example of how you might query Entra ID logs for suspicious activity:

# Query Entra ID logs for failed token requests
Get-AzureADAuditSignInLogs -Filter "Status.ErrorCode eq '50053'"
⚠️ Warning: Always validate redirect URIs to ensure they match expected values.

🎯 Key Takeaways

  • Authorization code injection involves intercepting authorization codes to obtain access tokens.
  • Monitor Entra ID logs for suspicious token requests and redirect URIs.
  • Validate redirect URIs to prevent injection attacks.

What is token theft?

Token theft occurs when an attacker gains unauthorized access to an access token, allowing them to impersonate a user or service. This can happen through various means, such as session hijacking or man-in-the-middle attacks.

How does token theft work?

  1. The attacker intercepts an access token during a legitimate transaction.
  2. The attacker uses the stolen token to make requests to the resource server.
  3. The resource server validates the token and grants access to the attacker.

Example of token theft

Here’s a simple example of how token theft might occur:

sequenceDiagram participant User participant App participant AuthServer participant ResourceServer participant Attacker User->>App: Login App->>AuthServer: Auth Request AuthServer-->>App: Token App-->>User: Success App->>ResourceServer: Access request with token Attacker->>App: Intercept token Attacker->>ResourceServer: Access request with stolen token ResourceServer-->>Attacker: Grant access

How to detect token theft with Entra ID logs

To detect token theft, look for signs of unauthorized access in Entra ID logs, such as:

  • Unusual access patterns from unfamiliar locations or devices.
  • Multiple access requests from the same token within a short period.
  • Failed access attempts followed by successful ones using the same token.

Here’s an example of querying Entra ID logs for suspicious access patterns:

# Query Entra ID logs for access patterns
Get-AzureADAuditSignInLogs -Filter "Location.City ne 'ExpectedCity'"
🚨 Security Alert: Implement strong encryption and secure storage for tokens to prevent theft.

🎯 Key Takeaways

  • Token theft involves intercepting and using access tokens to gain unauthorized access.
  • Monitor Entra ID logs for unusual access patterns and unauthorized token usage.
  • Use encryption and secure storage to protect tokens.

What is client credential misuse?

Client credential misuse occurs when an attacker obtains the client credentials (client ID and client secret) and uses them to request access tokens. This allows the attacker to perform actions on behalf of the client application.

How does client credential misuse work?

  1. The attacker steals the client credentials from a compromised system.
  2. The attacker uses the client credentials to request an access token from the authorization server.
  3. The authorization server issues an access token based on the client credentials.
  4. The attacker uses the access token to access protected resources.

Example of client credential misuse

Here’s a simple example of how client credential misuse might occur:

sequenceDiagram participant Attacker participant AuthServer participant ResourceServer Attacker->>AuthServer: Request token with stolen client credentials AuthServer-->>Attacker: Access token Attacker->>ResourceServer: Access request with token ResourceServer-->>Attacker: Grant access

How to detect client credential misuse with Entra ID logs

To detect client credential misuse, monitor Entra ID logs for signs of unauthorized token requests, such as:

  • Token requests from unfamiliar IP addresses or locations.
  • Multiple token requests within a short period.
  • Token requests for scopes that the client does not typically request.

Here’s an example of querying Entra ID logs for suspicious token requests:

# Query Entra ID logs for suspicious token requests
Get-AzureADAuditSignInLogs -Filter "IPAddress ne 'ExpectedIP'"
💡 Key Point: Regularly rotate client secrets and limit their permissions to minimize the risk of misuse.

🎯 Key Takeaways

  • Client credential misuse involves using stolen client credentials to request access tokens.
  • Monitor Entra ID logs for suspicious token requests and unauthorized access.
  • Rotate client secrets and limit permissions to reduce risk.

How to implement robust OAuth security with Entra ID

To protect your applications from OAuth TTPs, implement the following best practices:

  1. Use HTTPS: Ensure all communications between the client, authorization server, and resource server use HTTPS to prevent interception.

  2. Validate Redirect URIs: Always validate redirect URIs to ensure they match expected values.

  3. Limit Token Scopes: Request only the necessary scopes for your application to minimize potential damage from token theft.

  4. Regularly Rotate Secrets: Change client secrets regularly and store them securely to prevent misuse.

  5. Monitor and Log Activity: Continuously monitor Entra ID logs for suspicious activity and set up alerts for potential threats.

  6. Implement Multi-Factor Authentication (MFA): Use MFA to add an additional layer of security for user authentication.

  7. Use PKCE for SPAs: Implement Proof Key for Code Exchange (PKCE) in Single Page Applications (SPAs) to prevent authorization code interception.

Quick Reference

📋 Quick Reference

  • Use HTTPS - Secure all communications.
  • Validate Redirect URIs - Match expected values.
  • Limit Token Scopes - Request only necessary scopes.
  • Rotate Secrets - Change client secrets regularly.
  • Monitor Logs - Set up alerts for suspicious activity.
  • Implement MFA - Add an additional authentication layer.
  • Use PKCE - Prevent authorization code interception in SPAs.
💜 Pro Tip: Regularly review and update your OAuth configurations to adapt to new threats.

Conclusion

Protecting your applications from OAuth TTPs requires a proactive approach to security. By understanding the latest threats and leveraging Entra ID logs, you can detect and mitigate attacks effectively. Stay vigilant, and continuously improve your security posture to safeguard your users and data.

That’s it. Simple, secure, works.