[OAUTH-WG] Another CSRF attack
Daniel Fett <fett@uni-trier.de> Thu, 05 May 2016 14:19 UTC
Return-Path: <prvs=926009313=fett@uni-trier.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B635512DAD1 for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 07:19:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bcogRuJOCgMC for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 07:19:41 -0700 (PDT)
Received: from mx1.uni-trier.de (mx1.uni-trier.de [136.199.224.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE07612D890 for <oauth@ietf.org>; Thu, 5 May 2016 07:13:49 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.24,582,1454972400"; d="scan'208";a="20168694"
Received: from rzmail.uni-trier.de ([136.199.8.220]) by mx1i.uni-trier.de with ESMTP; 05 May 2016 16:13:47 +0200
Received: from [136.199.52.39] (infsec39.uni-trier.de [136.199.52.39]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by rzmail.uni-trier.de (Postfix) with ESMTPSA id 82A00408FE; Thu, 5 May 2016 16:13:47 +0200 (CEST)
From: Daniel Fett <fett@uni-trier.de>
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <572B551B.5030702@uni-trier.de>
Date: Thu, 05 May 2016 16:13:47 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/G4J3H1BMyIN01FCOLKqLjrx7AZ4>
Cc: Guido Schmitz <gschmitz@informatik.uni-trier.de>, ralf Kuesters <kuesters@uni-trier.de>
Subject: [OAUTH-WG] Another CSRF attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 14:19:43 -0000
We found another attack on session integrity (read: a CSRF attack). This attack breaks the session integrity for clients that allow the use of multiple AS where one AS might be malicious. It only works for clients that do not use a session or cookie to track which AS a user wanted to use when starting the OAuth flow. (We assume that such clients, in lack of other options, use different redirection URIs for the different AS.) Let's call the malicious AS AIdP and the honest HIdP. The attack works as follows: When a user wants to authorize using AIdP, AIdP redirects the user back to the redirection URI of HIdP at the client. AIdP attaches to this redirection URI the state issued by the client, and a authorization code or access token obtained from HIdP. The client then believes that the user logged in at HIdP. Hence, the user is logged in at the client using the attacker's identity at HIdP or the client accesses the attacker's resources at HIdP believing that these resources are owned by the user. This attack should also be applicable to OpenID Connect in all modes. The obvious fix here is that RP should track in a session or cookie where the user wanted to log in. Using different redirection URIs is not sufficient. Can anybody confirm this attack, and whether it was described before? Cheers, Daniel, Guido, Ralf -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436
- [OAUTH-WG] Another CSRF attack Daniel Fett
- Re: [OAUTH-WG] Another CSRF attack Justin Richer
- Re: [OAUTH-WG] Another CSRF attack Hans Zandbelt