Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation: My Impressions

Torsten Lodderstedt <> Sat, 06 February 2016 11:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1C6CB1B2C29 for <>; Sat, 6 Feb 2016 03:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.352
X-Spam-Status: No, score=-0.352 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LgIBPrOwoEqK for <>; Sat, 6 Feb 2016 03:33:04 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DB571A0252 for <>; Sat, 6 Feb 2016 03:33:04 -0800 (PST)
Received: from [] (helo=[]) by with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <>) id 1aS15I-00085g-P1; Sat, 06 Feb 2016 12:31:24 +0100
To: Hannes Tschofenig <>, "" <>
References: <>
From: Torsten Lodderstedt <>
Message-ID: <>
Date: Sat, 06 Feb 2016 12:32:37 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------010606090303040804090408"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation: My Impressions
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 06 Feb 2016 11:33:08 -0000

Hi Hannes,

#2 is not directly described in the paper but was used to replay the 
code/token the attacker obtained via #1. In my observation, the 
discussion in Darmstadt has shown that OAuth (and its built-in 
mitigations) so far focused on preventing code/token leakage but we lake 
mitigation for replay in this particular case.

#2 does not require the attacker to control the network or the victim's 
device. The attacker (using #1 or other attacks, e.g. on referrer 
headers or log files) obtains a code and injects this code into a 
legitimate OAuth/OIDC flow on its device. All she has to do is starting 
a authz code flow on the legitimate client, the particular code was 
issued for, and replace the code in the response from the AS. From the 
client's perspective, the response looks ok, since it carries the 
correct state value bound to the client in the particular user agent 
(since this is not a XSRF). But since there is no way (currently) to 
bind the code to a certain user agent, the client would accept the code 
and exchange it for token(s) on the AS. That gives the attacker access 
to resources of the victim and/or impersonates the attacker as the victim.

There are several way to mitigate this issue:
- OIDC has the "code id_token" response type, which uses nounce and 
c_hash in the id_token to bind the code to the user agent session
- in Darmstadt we came up with the idea to utilize the state value for 
that purpose.

Do we need to describe the threat and mitigation if 
draft-jones-oauth-mix-up-mitigation? I don't think so.
We could describe the mechanisms in a different draft.

I personally would prefer (and Phil already states this as well) the WG 
to work on a single draft, providing a consolidated view on all threats 
caused by the more dynamic usage of OAuth. We could also include all 
threats/mitigations/issues we have seen in the wild since RFC 6749 was 
published. This would also include stronger advice regarding XSRF 
prevention and open redirectors. I don't think we serve the community 
well be spreading those issues and mitigation over 3 or 4 drafts.

best regards,

Am 04.02.2016 um 21:27 schrieb Hannes Tschofenig:
> Hi all,
> when I posted the call for adoption of the 'OAuth 2.0 Mix-Up Mitigation'
> solution <draft-jones-oauth-mix-up-mitigation> I wasn't expecting such a
> heavy debate on the list. While the call for adoption is still ongoing I
> would like to share my view as someone who has to judge consensus in a
> few days together with Derek.
> Regardless of where we are with respect to oauth-meta vs.
> draft-jones-oauth-mix-up-mitigation we should keep an eye on the threats
> we are trying to address (and we have to document them).
> Here is how I would summarize the situation after reviewing the drafts,
> blog posts and various emails sent to the list.
> We have two types of threats:
> #1: Threat described in the papers referenced in my email to the list
> The attack assumes that '... the presence of a network attacker who can
> manipulate the request in which the user sends her identity to the RP as
> well as the corresponding response to this request ...' (see page 15 of
> I believe that this threat is well documented (at least in the paper).
> #2: Cut-and-Paste Attacks
> Here things get a bit more difficult since the threat is less well
> described. In Section 7.3 of
> Mike
> makes an attempt to describe the attack and refers to Section
> of RFC 6819, which talks about 'Code Substitution'. I am not convinced
> that the description in RFC 6819 exactly matches the intention of
> Section 7.3 of draft-jones-oauth-mix-up-mitigation-01 but I might be
> misinterpreting.
> Anyway, here is a copy-and-paste from the draft:
>     A "cut-and-paste" attack is performed
>     by the attacker creating what appears to be a legitimate
>     authorization response, but that substitutes some of the response
>     parameter values with values of the attacker's choosing.
> Clearly, this attack makes different assumptions than what is stated in
> the papers listed under item #1. It appears that the attacker will have
> to be on the users device /browser itself. If that's true then the text
> needs to state that.
> Nat also provides a description of a similar attack in his blog post
> under the name of 'Code Phishing' at
> In his description the attacker assumption is that the developer is
> tricked into re-configuring the token endpoint so that the attacker is
> able to obtain the authorization code.
> While I believe the group is well advised to tackle the attack described
> in item #1 to mitigate the attacks discovered late last year. I am
> curious whether the group also sees the mitigation of threat #2 in scope
> of this document. In some sense, one could argue that cut-and-paste is
> more generic and a concern also for those cases where an OAuth client
> does not talk to multiple ASs.
> So, here are my questions:
> - Can we describe the threat #2 in more details and by stating the
> assumptions about the attacker?
> I believe that this is important for understanding the attack within the
> participants of the group but also for those who stumble over our
> documents. Once we have a good description we should move on and answer
> the next two questions:
> - Should the document describe mitigations for attacks #1 and #2?
> - Should the solution mandate a solution for dealing with both attacks?
> Finally, we can talk about the details of the attack mitigation itself.
> As far as the work from Mike (oauth-mix-up-mitigation) and Nat
> (oauth-meta) is concerned Derek and I will find ways to ensure that the
> prior work by all involved participants is appropriately attributed and
> acknowledged!
> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list