[OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks

Tom Jones <thomasclinganjones@gmail.com> Mon, 01 July 2024 17:11 UTC

Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83C4DC1519B4 for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 10:11:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fpRG8Sz5CQ5w for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 10:11:47 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC03C14E515 for <oauth@ietf.org>; Mon, 1 Jul 2024 10:11:47 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-586de6191c7so52653a12.3 for <oauth@ietf.org>; Mon, 01 Jul 2024 10:11:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719853905; x=1720458705; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=t6P52rXt453spxaNibWV81f0OiA6/oPiOcZOUqIg38s=; b=je9xJg5Ug8Zh/dx5yan3uvXqeNcPGgsku/nig+SBsalPkjTRCyPYAVDbxt1D1RGx0g GFmHfu2zJCiXeMTu8G3/vF3uMP8mjTqzvvSF+5BNDPyx3LFtTnRiGLQgph/CG7QD6EWs 7ivLHc+wHLwwxVEodJJs/aSaOQwBOX9Bw36Tmxy2mpsDGHD+2yjsmi+NA1bkik+U59hm pUiEF+gi7PG+JGvL4l7+LDxLFScjY38708wv+A3BBYr6jjjgA450ITS3oaLMNvCOuKdl exJKlp39yghdynVeoL7ZO2OQ+l8xxIXPIwIHOwBD1/r21zpPELbSsPsOsLfIijvv0Dse pGmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719853905; x=1720458705; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=t6P52rXt453spxaNibWV81f0OiA6/oPiOcZOUqIg38s=; b=koi/5R4uXWFr7QShOmaKeCDqYIDWLmik+mj+MqL5cO2eINSeXXkb+ftivMowBc7rAh zbHIh19/JEj/aFSUrrtAfbXd87jxe/ZVs0a5lt054usNxkqr0wTmC9MfUViTOMyYQ9oq h9n528MCu4sOiPUuBZ/UgMTnl8GWcHlxtVaHO7FK01OlDmfu72LsvmxjDDk6RNRjoHW+ DBOaQucxXXd9kEzlLv2ReRulJI60caeixzvSK4axL2tsQAqxW8FdzhEvmTFP80Pjz5NR +V5O6c5kpR41wAWuJNFRnf3ZzU2HvTx122qj2v0wvkFhB3tzMkmiehL21sq7bxsdgFAn QSwA==
X-Gm-Message-State: AOJu0YxkldMZBd9mPZ3scDsnSc1fqXvh0GC8KSj7FJqRcs1NDs6zs3lj 7OuqAk0SUb0c6qxKQVEgek2lfHvo0ohYRk4YLHLz+8pAzObU7E9Yg/M23FKsCSiythGiVUxEkUQ tMKwFTjWs4APAcGoNyv8yZInBeKMEx3/V
X-Google-Smtp-Source: AGHT+IHdYZG3TpccOFBi4/J5ZcinEXsJkXYENgQQRE1WRF4iIJuU6dlBAml7tfYFnTTodpIzZxtseBGVWVoRgG+K0A8=
X-Received: by 2002:a17:906:6a24:b0:a6f:70b6:b063 with SMTP id a640c23a62f3a-a75143fe962mr453863866b.1.1719853905180; Mon, 01 Jul 2024 10:11:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAMsdJ+igzBuXf2HRhkLKQyRy7J2JqT9rTu0REe0nhcj0UNyXXg@mail.gmail.com>
In-Reply-To: <CAMsdJ+igzBuXf2HRhkLKQyRy7J2JqT9rTu0REe0nhcj0UNyXXg@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Mon, 01 Jul 2024 10:11:33 -0700
Message-ID: <CAK2Cwb5FTxiO=Avt6yypih4pJ+Q=qGNVdGAacY0HYL2E4zv2Zw@mail.gmail.com>
To: Chaitanya Reddy <nchaitreddyutilities@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000157f90061c32b155"
Message-ID-Hash: QTSDJOYTAWOATBZWV7KMWYPNEGUUFOSX
X-Message-ID-Hash: QTSDJOYTAWOATBZWV7KMWYPNEGUUFOSX
X-MailFrom: thomasclinganjones@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7oiLjWAiQt6olQ_kpwkC3jL3Cgs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I am utterly appalled by this statement
" opaque value, OAuth implementors usually don't sanitize the value."
No web site should ever use any data from the user's device without full
validation as it is *completely untrustworthy*.
Treating this head value differently than any other header value is WRONG.
NONE is trustworthy.
Be the change you want to see in the world ..tom


On Mon, Jul 1, 2024 at 5:20 AM Chaitanya Reddy <
nchaitreddyutilities@gmail.com> wrote:

> Hi Team,
>
> Hope you are doing well!
>
> I am writing this mail regarding the discussion of usage of *state*
> parameter in the OAuth implementation.
>
> As per the RFC 6749, "*An opaque value is used by the client to maintain
> state between the request and callback. And it should be used to prevent
> cross-site request forgery*". Since it's an opaque value, OAuth
> implementors usually don't sanitize the value.
>
> One of the OAuth 2.0 implementors (Google) have defined state as "*You
> can use this parameter for several purposes, such as directing the user to
> the correct resource in your application, sending nonces, and mitigating
> cross-site request forgery*"
>
> The issue arries here due to the fact that Google allows the use of state
> parameter for directing the users to the correct resource. Since the value
> in RFC is defined as *opaque, *they are not sanitizing the value for any
> possible malicious values. I have observed two instances where clients
> using Google's OAuth service directly use the state parameter value in *Location
> header *to redirect the users hence resulting in header injection attacks.
>
> As per my understanding, this issue arises due to the fact that:
> 1. Google allows state parameter to be used for purpose not defined in RFC.
> 2. Google is not sanitizing the state paramater on their end.
> 3. Client is also not sanitizing the state paramater and directly using it
> in the *Location* header.
>
> I have raised this issue to google via google VRP but after weeks of
> communication over the ticket, the engineer feels like they are not in
> disagreement with the spec and have requested me to discuss it further with
> your team and hence i am reaching out to you.
>
> Please let me know your thoughts about this.
>
> Regards,
> Chaitanya Reddy
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>