2025-08-04 –, Florentine E
OAuth and OpenID Connect (OIDC) are the backbone of modern identity and access management — but poor implementations leave organizations dangerously exposed. In this technical session, I’ll move beyond theory and demonstrate how subtle misconfigurations in OAuth and OIDC flows can be exploited by attackers to bypass authentication, impersonate users, and replay tokens for unauthorized access. We’ll walk through real-world vulnerabilities such as missing state parameters, improperly validated discovery documents, and token validation failures. Then we’ll demonstrate a live token replay attack using OWASP ZAP to intercept and reuse a captured JWT — illustrating how easily these weaknesses can be exploited in the wild. Attendees will leave with actionable knowledge on how to identify, exploit, and mitigate these flaws in enterprise environments, along with open-source scripts and tools to reproduce the attack scenarios in their own labs.
OAuth 2.0 and OpenID Connect (OIDC) are the identity workhorses of the modern web, enabling SSO, delegated authorization, and secure API access across cloud and enterprise ecosystems. But despite their widespread adoption, these protocols are frequently misconfigured — and attackers are capitalizing on it. This talk exposes how real-world flaws in OAuth and OIDC implementations can be exploited to bypass authentication, impersonate users, and perform full session hijacking via token replay.
This presentation is designed for security professionals, penetration testers, red teamers, and identity architects who want a deeper technical understanding of identity-layer attack surface and how it’s routinely exploited in the wild. It opens with a fast-paced breakdown of how OAuth and OIDC are supposed to work, then dives headfirst into where they typically fail — not in the protocols themselves, but in how they’re implemented.
Attendees will learn how missing or improperly validated state parameters lead to CSRF, how weak or wildcarded redirect_uri values open the door for open redirect exploits, and why implicit flows are dangerous in modern environments. On the OIDC side, we’ll explore how attackers tamper with the discovery endpoint (.well-known/openid-configuration), and how improperly validated ID tokens lacking issuer, audience, or nonce verification can be forged and replayed.
The centerpiece of the session is a live demonstration of a token replay attack using OWASP ZAP. We’ll walk through a simulated login against a vulnerable OAuth/OIDC web app, intercept a valid JWT using ZAP, and replay that token from another client to gain unauthorized access. This real-time attack sequence shows just how quickly identity misconfigurations can be turned into full session compromise — especially when token binding and validation safeguards are missing.
Following the attack demonstration, we’ll pivot to practical defensive strategies including:
-Best practices for validating ID tokens (issuer, audience, nonce, exp)
-Enforcing short token lifetimes and secure refresh mechanisms
-Implementing token binding using device fingerprinting, IP correlation, or advanced options like DPoP and mTLS
-Integrating detection strategies via ITDR platforms or behavioral monitoring
To support continued learning, the presentation includes access to an open-source lab environment built around OWASP ZAP. The lab includes three modular ZAP script sets:
Script Set 1: Hardcoded JWT replay automation
Script Set 2: Dynamic token capture and replay via scripted login
Script Set 3: Docker-based ZAP automation for CI/CD pipelines
This session bridges the gap between protocol theory and real-world identity exploitation, showing how small implementation gaps can have catastrophic security consequences. Attendees will leave with working examples, reusable tools, and a detailed understanding of how to defend against identity-based attacks that bypass traditional perimeter defenses.
Darryl G. Baker, CISSP, CEH is a seasoned cybersecurity professional with extensive experience in securing enterprise environments and conducting in-depth security assessments. With a strong background in both offensive and defensive security, Darryl specializes in identifying and mitigating risks within Active Directory and cloud-based infrastructures.
Over the course of his career, Darryl has led numerous security engagements across a variety of industries, helping organizations improve their security posture through technical assessments, red team operations, and strategic guidance. He holds certifications including the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH), reflecting his broad expertise in information security.
Darryl is passionate about sharing knowledge and advancing the cybersecurity community. He regularly speaks at industry events, where he delivers practical insights on threat detection, identity security, and real-world attack techniques. His presentations are known for combining deep technical detail with actionable takeaways.