Sign up to save your podcasts
Or
Share Ep. 13 – nOAuth Account Misbinding & Assumed-Breach to Domain Admin (Season Finale)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ep. 13 – nOAuth Account Misbinding & Assumed-Breach to Domain Admin (Season Finale)
One misbound identity. One exposed internal path. Two routes to total compromise.
In this season finale of Hacked & Secured: Pentest Exploits & Mitigations, we break down two real-world findings that show how small trust assumptions can unravel entire systems:
- nOAuth (SSO account misbinding) — Multi-tenant SSO auto-linked accounts by email instead of a stable subject/issuer identifier. With a crafted identity on a controlled domain, an attacker could land a valid session as another user.
- From wall socket to Domain Admin — No NAC on the switch enabled quiet network access, followed by username harvesting and a light password spray to a low-priv account. From there: AD enumeration, weak service credentials, and abuse of certificate services to escalate to Domain Admin.
What you’ll learn: how identity claims should be bound in modern SSO, how to harden join and mapping flows, and a practical checklist to shut down common internal escalation paths (NAC, credential hygiene, service principals, AD CS, and monitoring).
Chapters:
00:00 - INTRO
01:27 - FINDING #1 - nOAuth: the email you shouldn’t have trusted
07:22 - FINDING #2 - From one wall socket to Domain Admin
13:43 - OUTRO
Want your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!
🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram
📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A
📧 Feedback? Email Us → [email protected]
🔗 Podcast Website → Website Link
View all episodes
By Amin MalekpourOne misbound identity. One exposed internal path. Two routes to total compromise.
In this season finale of Hacked & Secured: Pentest Exploits & Mitigations, we break down two real-world findings that show how small trust assumptions can unravel entire systems:
- nOAuth (SSO account misbinding) — Multi-tenant SSO auto-linked accounts by email instead of a stable subject/issuer identifier. With a crafted identity on a controlled domain, an attacker could land a valid session as another user.
- From wall socket to Domain Admin — No NAC on the switch enabled quiet network access, followed by username harvesting and a light password spray to a low-priv account. From there: AD enumeration, weak service credentials, and abuse of certificate services to escalate to Domain Admin.
What you’ll learn: how identity claims should be bound in modern SSO, how to harden join and mapping flows, and a practical checklist to shut down common internal escalation paths (NAC, credential hygiene, service principals, AD CS, and monitoring).
Chapters:
00:00 - INTRO
01:27 - FINDING #1 - nOAuth: the email you shouldn’t have trusted
07:22 - FINDING #2 - From one wall socket to Domain Admin
13:43 - OUTRO
Want your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!
🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram
📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A
📧 Feedback? Email Us → [email protected]
🔗 Podcast Website → Website Link