Re: [OAUTH-WG] OAuth2 attack surface....
prateek mishra <prateek.mishra@oracle.com> Fri, 01 March 2013 15:00 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463B911E80A2 for <oauth@ietfa.amsl.com>; Fri, 1 Mar 2013 07:00:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.573
X-Spam-Level:
X-Spam-Status: No, score=-6.573 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phbQP0ZeKOUd for <oauth@ietfa.amsl.com>; Fri, 1 Mar 2013 07:00:45 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 93AA021F92F8 for <oauth@ietf.org>; Fri, 1 Mar 2013 07:00:44 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r21F0hDn007112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 1 Mar 2013 15:00:44 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r21F0gjk017233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 1 Mar 2013 15:00:43 GMT
Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r21F0gOR016655; Fri, 1 Mar 2013 09:00:42 -0600
Received: from [192.168.1.2] (/71.184.95.145) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 01 Mar 2013 07:00:42 -0800
Message-ID: <5130C2A0.2010100@oracle.com>
Date: Fri, 01 Mar 2013 10:00:48 -0500
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <1361830944.13340.YahooMailNeo@web31812.mail.mud.yahoo.com> <E4A6D91D-2BC8-4F2E-9B1C-D1362A0E3608@oracle.com> <1361831644.50183.YahooMailNeo@web31801.mail.mud.yahoo.com> <1361832133.97884.YahooMailNeo@web31816.mail.mud.yahoo.com> <140EEABC-2787-4D9A-A1C5-6C973FED5BC8@adobe.com> <512FE091.9030508@oracle.com> <9C445AAF-BEE8-44F5-8FE6-43CA843906CC@ve7jtb.com>
In-Reply-To: <9C445AAF-BEE8-44F5-8FE6-43CA843906CC@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------060502090704010903030102"
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2 attack surface....
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2013 15:00:46 -0000
Yup, use of confidential clients and full checking of redirect URIs would mitigate these attacks. I think there is an issue of providing guidance to developers/deployers, about making secure choices, that needs to be addressed someplace. A test suite would also be a good complement to a document. One challenge is that OAuth addresses such a broad class of clients - from angry birds all the way to transactional apps. I am a mostly interested in the latter, it would be good to have a resource that i can point people to (and, yes, the TM document is good but I dont see it as something most developers/deployers would benefit from). - prateek > While implicit is what they are attacking, this is in principal also > possible to do with a code flow if the client is public. > It is only confidential clients using the code flow that have > reasonable protection from open redirectors. > > In openID Connect we made registered redirect_uri and full comparison > of the URI including query parameters a requirement. > > Allowing path or query parameters outside of the redirect comparison > leaves too large of an uncontrolled attack surface. > > Implementation mistakes are almost inevitable. > > John B. > On 2013-02-28, at 2:56 PM, prateek mishra <prateek.mishra@oracle.com > <mailto:prateek.mishra@oracle.com>> wrote: > >> Characteristics of both these attacks - >> >> 1) Use of implicit flow (access token passed on the URL) >> 2) changes to redirect uri (specification does allow some flexibility >> here) >> 3) applications with long-lived access tokens with broad scope (in >> one case only) >> >> - prateek >>> And a different one (still exploiting redirection and still >>> implementation mistake) >>> http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html >>> >>> >>> Regards >>> >>> Antonio >>> >>> On Feb 25, 2013, at 11:42 PM, William Mills wrote: >>> >>>> >>>> >>>> DOH!!! >>>> http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> >>>> *To:* William Mills <wmills_92105@yahoo.com >>>> <mailto:wmills_92105@yahoo.com>> >>>> *Sent:* Monday, February 25, 2013 2:28 PM >>>> *Subject:* Re: [OAUTH-WG] OAuth2 attack surface.... >>>> >>>> Whats the link? >>>> >>>> Phil >>>> >>>> Sent from my phone. >>>> >>>> On 2013-02-25, at 14:22, William Mills <wmills_92105@yahoo.com >>>> <mailto:wmills_92105@yahoo.com>> wrote: >>>> >>>>> I think this is worth a read, I don't have time to dive into this :( >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth2 attack surface.... William Mills
- Re: [OAUTH-WG] OAuth2 attack surface.... William Mills
- Re: [OAUTH-WG] OAuth2 attack surface.... Richer, Justin P.
- Re: [OAUTH-WG] OAuth2 attack surface.... John Bradley
- Re: [OAUTH-WG] OAuth2 attack surface.... Dick Hardt
- Re: [OAUTH-WG] OAuth2 attack surface.... Antonio Sanso
- Re: [OAUTH-WG] OAuth2 attack surface.... prateek mishra
- Re: [OAUTH-WG] OAuth2 attack surface.... Oleg Gryb
- Re: [OAUTH-WG] OAuth2 attack surface.... John Bradley
- Re: [OAUTH-WG] OAuth2 attack surface.... prateek mishra
- Re: [OAUTH-WG] OAuth2 attack surface.... Antonio Sanso
- Re: [OAUTH-WG] OAuth2 attack surface.... prateek mishra