Abstract
Your organization uses Microsoft Entra ID. OAuth 2.0 and OpenID Connect are implemented. Tokens are validated. You’re secure, right? Wrong.
This talk examines two critical vulnerability classes in Entra ID applications enabling impersonation and privilege escalation. Claims like email, preferred_username, and unique_name appear in every token and seem harmless for identifying users. They’re not. These display claims are mutable, user-controlled, and non-unique across Azure AD tenants. Attackers register their own tenant, set these claims to match target administrators, and authenticate through multi-tenant endpoints. The vulnerable application queries by email without validating tenant context, returning the real admin’s data and granting full privileges.
The second class involves common .NET misconfigurations where RequireSignedTokens is disabled or custom SignatureValidator delegates bypass verification. Attackers forge tokens with arbitrary claims and achieve complete authentication bypass.
Working at Microsoft Azure Security, the speaker encounters these patterns daily during secure code reviews. Attendees also receive DVOE (Damn Vulnerable OAuth Environment), a lab with vulnerable applications, Semgrep detection rules, and secure reference implementations for continued practice.
Real patterns. Live demos. Less theory.