Re: [OAUTH-WG] State Leakage Attack
John Bradley <ve7jtb@ve7jtb.com> Mon, 25 April 2016 13:30 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32D7F12D14C for <oauth@ietfa.amsl.com>; Mon, 25 Apr 2016 06:30:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BS7Fnm_g_fzy for <oauth@ietfa.amsl.com>; Mon, 25 Apr 2016 06:30:44 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5213C12D1BB for <oauth@ietf.org>; Mon, 25 Apr 2016 06:30:44 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id y69so46828013pfb.1 for <oauth@ietf.org>; Mon, 25 Apr 2016 06:30:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7u+8C4UZiaNHxiAoQmFy1zaXcj4wIS4/x5g0IlXQ1J0=; b=Zv2ka6VU6M5kPI9ysIDUEzjNY0gs0bxZkFcmjXP8N6odR/aoNJ7N6Cojx7IaP8jDF5 hCuU/wvbUAH9dNNaPGo2q404FLuZk0arHPnRgkXWe31MsbyJ74qkue+4RK2Mf92i5sRt /xgXy4sr5qjCvuyMj1T5eIVMS/hoUMhxhdtLlsE0NvSUr+qcTMaFplBIy89k7kC74nyb LNMfemjrI8aguTbdqoLgR/W+3g2Ht/ZyXsfvKzviEmnKWN/icrEJg5kTDQFxU3gb53q3 kIrCJOgiHkfFC5ACYsm5CK1YxTAinKE5QrDK0XjYTRl7mXE7FJcM3cCc4xi+p7pwikVF 9Qhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7u+8C4UZiaNHxiAoQmFy1zaXcj4wIS4/x5g0IlXQ1J0=; b=Gm86m6PpwgKLO7F8hALOqqg/b6VC1vIyBzD898iKHvS21KcbvdqhntNzewJ5yaTmXQ WPgh4FApJJoYiT8vnO4CXxpRymlgtAlvphMBqWxTW5+JVeDoCP9zms5PHJyTKTuK741S ZMJfNNuO6ehPPe6R/no188MO6UEjERsx+gZDidiSApTsBThW0khc/x7agzGOKhwq89SN 8asmGTv5Evp5pHWCX6IKCahg3s/S14Je2EPXECDEtqUk0VhbH6ESc89N2rhHCEENRcmZ YQMMv69zflRiUADjzsxnpS/lvtt41Li+uJzsFbshPxjdaywuVmdwRuRCDbKS3OkEumw0 Lvxg==
X-Gm-Message-State: AOPr4FWTEKSr64hVK4yXfPjmYlLQWbpHEUv1mbnn50MS9bxb3+dKRg6NbB2nlVUHuZsMbQ==
X-Received: by 10.98.109.198 with SMTP id i189mr6976698pfc.106.1461591043742; Mon, 25 Apr 2016 06:30:43 -0700 (PDT)
Received: from [192.168.6.99] ([12.207.17.3]) by smtp.gmail.com with ESMTPSA id ut1sm30147177pac.46.2016.04.25.06.30.42 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 25 Apr 2016 06:30:42 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <571E1541.2030904@uni-trier.de>
Date: Mon, 25 Apr 2016 06:30:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2FAB8A1E-E186-4FF0-9867-C82FE4A248B0@ve7jtb.com>
References: <571A3339.706@uni-trier.de> <13C0AA5B-FF2C-4BC7-9406-58F3063EA085@ve7jtb.com> <571E1541.2030904@uni-trier.de>
To: Daniel Fett <fett@uni-trier.de>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/0Se9kKVIBYz15aQScwToEvhbsuc>
Cc: Guido Schmitz <gschmitz@informatik.uni-trier.de>, oauth@ietf.org, Ralf Kuesters <kuesters@uni-trier.de>
Subject: Re: [OAUTH-WG] State Leakage Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2016 13:30:46 -0000
Inline > On Apr 25, 2016, at 6:01 AM, Daniel Fett <fett@uni-trier.de> wrote: > > Am 24.04.2016 um 22:31 schrieb John Bradley: >> I described a similar attack at the meeting in Darmstadt. Using stolen state to inject code from a different session. >> >> We were calling that the cut and paste attack. The proposed mitigation is ing the draft that Mike and I did. >> >> This was based on the attacker making a new request in a different user agent and using that state. >> >> In open redirectors draft we do talk about referrer leaking info, and methods to address that. >> >> Checking referrer is a weak protection at best, as that is easily faked in many circumstances. > > Note that we do not propose checking the referrer as a mitigation; we > propose using the referrer policy (at the client) to suppress the > referrer (just as in the open redirector draft where it is used at the > AS). So the recommendation here is to use the referrer policy also at > the client. OK thai is inline with what we recommend in sec 2.3 of https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00 That document is mostly about redirectors on AS. More needs to go into it on the issue for clients. > >> Are you saying that the proposed mitigation of the AS tying state to code is not sufficient? > > Yes, it is not sufficient as an attacker can request a new code for his > own account at the AS for the same state. > So the attacker gets the leaked state then uses there own browser with the stolen to get a new code in there browser. Than takes the new code and old state and pastes that into a XSRF attack in the users browser. (Sort of the reverse of stealing a leaked code and presenting to the client in the the attackers browser with a new state) I see how the mitigation of tying state and code together would not work for that. However a client using PKCE would not be vulnerable as a side effect of using a different PKCE challenge for each request though a asymmetric PKCE challenge would not have this property. OK I will grant you that leaking state and using that in a XSRF with a different code to bind and attackers resource to the account is a new twist. John B. > (Note that from draft-bradley-oauth-jwt-encoded-state-05 it does not > become clear how the JTI value comes into play here; you should probably > add some clarification on generating this value and how to check it. An > example would be good.) > > -Daniel > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack torsten@lodderstedt.net
- Re: [OAUTH-WG] State Leakage Attack Guido Schmitz
- Re: [OAUTH-WG] State Leakage Attack Torsten Lodderstedt
- Re: [OAUTH-WG] State Leakage Attack Thomas Broyer
- Re: [OAUTH-WG] State Leakage Attack André DeMarre
- Re: [OAUTH-WG] State Leakage Attack Thomas Broyer
- Re: [OAUTH-WG] State Leakage Attack André DeMarre
- Re: [OAUTH-WG] State Leakage Attack Torsten Lodderstedt
- Re: [OAUTH-WG] State Leakage Attack Thomas Broyer
- Re: [OAUTH-WG] State Leakage Attack torsten@lodderstedt.net
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack Antonio Sanso
- Re: [OAUTH-WG] State Leakage Attack Daniel Fett
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- Re: [OAUTH-WG] State Leakage Attack John Bradley
- Re: [OAUTH-WG] State Leakage Attack Torsten Lodderstedt