[OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks
Filip Skokan <panva.ip@gmail.com> Mon, 01 July 2024 12:42 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE6CCC18DBB4 for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 05:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QFZlmMc5v7DB for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 05:42:42 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00524C1CAE66 for <oauth@ietf.org>; Mon, 1 Jul 2024 05:42:41 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-52cd717ec07so3719338e87.0 for <oauth@ietf.org>; Mon, 01 Jul 2024 05:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719837760; x=1720442560; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KinSn6J1oDfzyC1fimQqGbBhQN9mO7IXZA4ZL3LEyiU=; b=JQgxfcmAExnnUKaQEDm62aWy0RGW6JkVWhWEI6UTqz0cgkYtCxRvMESXAoQ1rN8RGy /3GGGY+ERmaF/I94/lrgsGh3hp7Np3NgK0jNQttd+iXMwneKYl9CrjGhqHY5bzzkwgt7 5lptE8RFE7gfSu7j3PHtE/PmTHw7BZAT4Bqm5C4nfgC1Gzbg+BqglGJgxwFr4Pac/BWj LMRLxXWVpqwX0an49ze4YH0gHT8yhaAIUWMdvcm01Y1No+84TScdZxUv9ZQYT4OE6Lv9 g41UcLR6L2+6R3Btmlo0NMyspeGfxh/UbTQexUST2c/3m9O8qQoX3YYG//Q0Mtfxbyf7 Iyhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719837760; x=1720442560; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KinSn6J1oDfzyC1fimQqGbBhQN9mO7IXZA4ZL3LEyiU=; b=u++niWNG6jSbjyvU/GFIdpLqzEzrZHejuO66VqGnlLA0ftmfId/t1hXo8a1WI0Nf+F H+XjlBfe1GfNfYIfSZj44ucA34zZ1nH9L8tci67uoENatmFd7xJNON0tYYBjYJi5YHN6 ZHIEUG0GU8Gq6+rsMORjLjaQKIoqEOUAdOcsLZzY/Zp8MH3Coyz6aLmYaabiS/EzmXvO 6xoOc2QmsveefTpxiPISNZBkPkegwDYotpSAPbfXTWSAbHlB5zea7R1nlpDkranH5rUE 62yEGAeHj55y1P7XsI5aCIRT190AllON6gl+kf/0qsn+/ilMy325G3ydfGolYcQnMrJE sTzA==
X-Gm-Message-State: AOJu0YwV3LKNd0BdoqLi1oEBisIbFk6BzEAz0A/vgIQh9M42M4x/1sR4 f+Wz5mQ45bYRqwOmbKZJ6yZrPQJb/V/xRFuTnBg8PtHcUagGIWGqIlkgvL6C8QJuxmpzwW9nTou LYZ7lEdiAMvf1TOkkG5SG0qf+VHkdtZA=
X-Google-Smtp-Source: AGHT+IHW46Az8lA84ZBJ++oH7d0FueCbJkbrL5Hf57/YBYIgkVZ1aJMJdepzpkHX3BE0O9yQWVEi3RHHhbXXYQ6xT1A=
X-Received: by 2002:a05:6512:2255:b0:52c:dbe2:69ba with SMTP id 2adb3069b0e04-52e82691abemr4281987e87.33.1719837759325; Mon, 01 Jul 2024 05:42:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAMsdJ+igzBuXf2HRhkLKQyRy7J2JqT9rTu0REe0nhcj0UNyXXg@mail.gmail.com>
In-Reply-To: <CAMsdJ+igzBuXf2HRhkLKQyRy7J2JqT9rTu0REe0nhcj0UNyXXg@mail.gmail.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Mon, 01 Jul 2024 14:42:03 +0200
Message-ID: <CALAqi_9f-M_=c9pdbSH=iFmAv3iYXdBA8d4XhzgJV66i+5e1hA@mail.gmail.com>
To: Chaitanya Reddy <nchaitreddyutilities@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b74c2c061c2eee32"
Message-ID-Hash: KWYP7K6LYQQSMU3BAKAZQBBGERSC6YKR
X-Message-ID-Hash: KWYP7K6LYQQSMU3BAKAZQBBGERSC6YKR
X-MailFrom: panva.ip@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1iEEx662VQfbN0rjkv7LUV3eebo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hello Chaitanya. The AS is to treat the state value as an opaque string, merely echoing it back to the client, at most the AS is required to ensure the state's syntax is within its ABNF definition, then send its exact value back with the authorization response. I don't find this particular AS implementation's documentation-defined state use to fall outside of its intended use. Of course it could come with more guidance on how to achieve those particular purposes securely, so that the client doesn't become an Open Redirector <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-client-as-open-redirector> . S pozdravem, *Filip Skokan* On Mon, 1 Jul 2024 at 14:20, Chaitanya Reddy <nchaitreddyutilities@gmail.com> wrote: > Hi Team, > > Hope you are doing well! > > I am writing this mail regarding the discussion of usage of *state* > parameter in the OAuth implementation. > > As per the RFC 6749, "*An opaque value is used by the client to maintain > state between the request and callback. And it should be used to prevent > cross-site request forgery*". Since it's an opaque value, OAuth > implementors usually don't sanitize the value. > > One of the OAuth 2.0 implementors (Google) have defined state as "*You > can use this parameter for several purposes, such as directing the user to > the correct resource in your application, sending nonces, and mitigating > cross-site request forgery*" > > The issue arries here due to the fact that Google allows the use of state > parameter for directing the users to the correct resource. Since the value > in RFC is defined as *opaque, *they are not sanitizing the value for any > possible malicious values. I have observed two instances where clients > using Google's OAuth service directly use the state parameter value in *Location > header *to redirect the users hence resulting in header injection attacks. > > As per my understanding, this issue arises due to the fact that: > 1. Google allows state parameter to be used for purpose not defined in RFC. > 2. Google is not sanitizing the state paramater on their end. > 3. Client is also not sanitizing the state paramater and directly using it > in the *Location* header. > > I have raised this issue to google via google VRP but after weeks of > communication over the ticket, the engineer feels like they are not in > disagreement with the spec and have requested me to discuss it further with > your team and hence i am reaching out to you. > > Please let me know your thoughts about this. > > Regards, > Chaitanya Reddy > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Security Bug | Unintended usage of "st… Chaitanya Reddy
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Neil Madden
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Filip Skokan
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Aaron Parecki
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Chaitanya Reddy
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Neil Madden
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Tom Jones
- [OAUTH-WG] Re: Security Bug | Unintended usage of… David Waite