IETF Logo Mail Archive

Re: [OAUTH-WG] Indicating origin of OAuth credentials to combat login CSRF

"Manger, James H" <James.H.Manger@team.telstra.com> Sun, 27 February 2011 22:40 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 22D553A68BD for <oauth@core3.amsl.com>; Sun, 27 Feb 2011 14:40:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.178
X-Spam-Level:
X-Spam-Status: No, score=-0.178 tagged_above=-999 required=5 tests=[AWL=0.722, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUTTnVZJzUUh for <oauth@core3.amsl.com>; Sun, 27 Feb 2011 14:39:55 -0800 (PST)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by core3.amsl.com (Postfix) with ESMTP id 215883A6835 for <oauth@ietf.org>; Sun, 27 Feb 2011 14:39:53 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.62,235,1296997200"; d="scan'208,217"; a="27985235"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipocvi.tcif.telstra.com.au with ESMTP; 28 Feb 2011 09:40:51 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6270"; a="20119172"
Received: from wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) by ipcdvi.tcif.telstra.com.au with ESMTP; 28 Feb 2011 09:40:51 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) with mapi; Mon, 28 Feb 2011 09:40:50 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, OAuth Mailing List <oauth@ietf.org>
Date: Mon, 28 Feb 2011 09:40:49 +1100
Thread-Topic: [OAUTH-WG] Indicating origin of OAuth credentials to combat login CSRF
Thread-Index: AcvVsIFieUlfK0igRZG6JSYaLFLD1QBHUs8w
Message-ID: <255B9BB34FB7D647A506DC292726F6E1127ECCCBD4@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1127DCD2142@WSMSG3153V.srv.dir.telstra.com> <4D68F197.7040707@lodderstedt.net>
In-Reply-To: <4D68F197.7040707@lodderstedt.net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1127ECCCBD4WSMSG3153Vsrv_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Indicating origin of OAuth credentials to combat login CSRF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Feb 2011 22:40:01 -0000

Torsten Lodderstedt said: "I would expect the token to carry information about its issuer. Would this be sufficient in order to detect CSRF?"

No.

A Login CSRF attack involves a legitimate token (listing the legitimate issuer) that an attacker received being given to a victim client. The client gets a legitimate token - but they got it from the wrong party so they cannot be sure it was a token meant for them.

If the client tells the resource server where they got the token from then the resource server can confirm that there wasn't an attacker between the legitimate authorization server and client.



--

James Manger







Am 25.02.2011 01:08, schrieb Manger, James H:

Q. Should an OAuth client app list the authorization server in the Origin header of requests to resource servers?



In OAuth (delegation) flows a server dynamically issues credentials (such as a bearer token) to a client app to use in subsequent HTTP requests to other servers. To combat login cross-site request forgery (CSRF) attacks [1] (where an attacker's server issues the attacker's credentials to a client app to use on behalf of a victim at a legitimate server) the client app needs to indicate where the credentials came from. The Origin header [2] looks like the right place to indicate this.



[For the OAuth list: The Origin HTTP request header "indicates the origin(s) that caused the user agent to issue the request" [http://tools.ietf.org/html/draft-ietf-websec-origin-00#section-6.2].]



[For the WebSec list: An OAuth credential from an authorization server is a bit like a cookie, but not restricted to the same origin.]





Example:



  Client to (malicious) authorization server: ->

    POST /token HTTP/1.1

    Host: login.example.com

    ...

  <-

    HTTP/1.1 200 OK

    ...

    { "access_token": "SlAV32hkKG", ...}



  Client to resource server: ->

    POST /uploadData HTTP/1.1

    Host: api.exampledata.com

    Authorization: BEARER SlAV32hkKG

    Origin: https://login.example.com

    ...





There can be other servers that contribute to a client app making a request. For instance, one server can redirect to another. A Origin request header can list multiple origins. The server will not be able to distinguish which origin issued OAuth credentials from which issued a redirect etc. That might not matter if a server has to trust all the values listed in the Origin header.

Q. Is it the group's expectation that servers checking the Origin header will require all the listed origins to be trusted?



[1] Robust Defenses for Cross Site Request Forgery, http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

[2] The Web Origin Concept, http://tools.ietf.org/html/draft-ietf-websec-origin

[3] Principles of the Same Origin Policy, http://tools.ietf.org/html/draft-abarth-principles-of-origin



--

James Manger

v2.23.0 | Report a Bug | By Email