IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2 attack surface....

prateek mishra <prateek.mishra@oracle.com> Fri, 01 March 2013 15:00 UTC

Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463B911E80A2 for <oauth@ietfa.amsl.com>; Fri, 1 Mar 2013 07:00:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.573
X-Spam-Level:
X-Spam-Status: No, score=-6.573 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phbQP0ZeKOUd for <oauth@ietfa.amsl.com>; Fri, 1 Mar 2013 07:00:45 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 93AA021F92F8 for <oauth@ietf.org>; Fri, 1 Mar 2013 07:00:44 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r21F0hDn007112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 1 Mar 2013 15:00:44 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r21F0gjk017233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 1 Mar 2013 15:00:43 GMT
Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r21F0gOR016655; Fri, 1 Mar 2013 09:00:42 -0600
Received: from [192.168.1.2] (/71.184.95.145) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 01 Mar 2013 07:00:42 -0800
Message-ID: <5130C2A0.2010100@oracle.com>
Date: Fri, 01 Mar 2013 10:00:48 -0500
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <1361830944.13340.YahooMailNeo@web31812.mail.mud.yahoo.com> <E4A6D91D-2BC8-4F2E-9B1C-D1362A0E3608@oracle.com> <1361831644.50183.YahooMailNeo@web31801.mail.mud.yahoo.com> <1361832133.97884.YahooMailNeo@web31816.mail.mud.yahoo.com> <140EEABC-2787-4D9A-A1C5-6C973FED5BC8@adobe.com> <512FE091.9030508@oracle.com> <9C445AAF-BEE8-44F5-8FE6-43CA843906CC@ve7jtb.com>
In-Reply-To: <9C445AAF-BEE8-44F5-8FE6-43CA843906CC@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------060502090704010903030102"
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2 attack surface....
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2013 15:00:46 -0000

Yup, use of confidential clients and full checking of redirect URIs 
would mitigate these attacks.

I think there is an issue of providing guidance to developers/deployers, 
about making secure choices, that needs to be addressed someplace. A 
test suite
would also be a good complement to a document.

One challenge is that OAuth addresses such a broad class of clients - 
from angry birds all the way to transactional apps. I am a mostly interested
in the latter, it would be good to have a resource that i can point 
people to (and, yes, the TM document is good but I dont see it as 
something most developers/deployers would
  benefit from).

- prateek

> While implicit is what they are attacking, this is in principal also 
> possible to do with a code flow if the client is public.
> It is only confidential clients using the code flow that have 
> reasonable protection from open redirectors.
>
> In openID Connect we made registered redirect_uri and full comparison 
> of the URI including query parameters a requirement.
>
> Allowing path or query parameters outside of the redirect comparison 
> leaves too large of an uncontrolled attack surface.
>
> Implementation mistakes are almost inevitable.
>
> John B.
> On 2013-02-28, at 2:56 PM, prateek mishra <prateek.mishra@oracle.com 
> <mailto:prateek.mishra@oracle.com>> wrote:
>
>> Characteristics of both these attacks -
>>
>> 1) Use of implicit flow (access token passed on the URL)
>> 2) changes to redirect uri (specification does allow some flexibility 
>> here)
>> 3) applications with long-lived access tokens with broad scope (in 
>> one case only)
>>
>> - prateek
>>> And a different one (still exploiting redirection and still 
>>> implementation mistake) 
>>> http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html 
>>>
>>>
>>> Regards
>>>
>>> Antonio
>>>
>>> On Feb 25, 2013, at 11:42 PM, William Mills wrote:
>>>
>>>>
>>>>
>>>> DOH!!! 
>>>> http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>>
>>>> *To:* William Mills <wmills_92105@yahoo.com 
>>>> <mailto:wmills_92105@yahoo.com>>
>>>> *Sent:* Monday, February 25, 2013 2:28 PM
>>>> *Subject:* Re: [OAUTH-WG] OAuth2 attack surface....
>>>>
>>>> Whats the link?
>>>>
>>>> Phil
>>>>
>>>> Sent from my phone.
>>>>
>>>> On 2013-02-25, at 14:22, William Mills <wmills_92105@yahoo.com 
>>>> <mailto:wmills_92105@yahoo.com>> wrote:
>>>>
>>>>> I think this is worth a read, I don't have time to dive into this :(
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email