Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS attacks
pflam@cs.stanford.edu Sat, 13 November 2010 01:47 UTC
Return-Path: <pflam@cs.stanford.edu>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BE373A6813 for <oauth@core3.amsl.com>; Fri, 12 Nov 2010 17:47:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oH0cVnwEK7+J for <oauth@core3.amsl.com>; Fri, 12 Nov 2010 17:47:05 -0800 (PST)
Received: from cs-smtp-2.Stanford.EDU (cs-smtp-2.Stanford.EDU [171.64.64.26]) by core3.amsl.com (Postfix) with ESMTP id 63AD43A6810 for <oauth@ietf.org>; Fri, 12 Nov 2010 17:47:05 -0800 (PST)
Received: from xenon.stanford.edu ([171.64.66.201]) by cs-smtp-2.Stanford.EDU with esmtps (TLSv1:AES256-SHA:256) (Exim 4.60) (envelope-from <pflam@cs.stanford.edu>) id 1PH5DM-0002hd-AO; Fri, 12 Nov 2010 17:47:39 -0800
Received: from localhost.stanford.edu ([127.0.0.1] helo=xenon.stanford.edu) by Xenon.Stanford.EDU with esmtp (Exim 4.63) (envelope-from <pflam@cs.stanford.edu>) id 1PH5DL-0006NT-BN; Fri, 12 Nov 2010 17:47:35 -0800
Received: from 222.166.181.166 (SquirrelMail authenticated user pflam) by xenon.stanford.edu with HTTP; Fri, 12 Nov 2010 17:47:35 -0800 (PST)
Message-ID: <10670.222.166.181.166.1289612855.squirrel@xenon.stanford.edu>
Date: Fri, 12 Nov 2010 17:47:35 -0800
From: pflam@cs.stanford.edu
To: oauth@ietf.org
User-Agent: SquirrelMail/1.4.8-5.el5.centos.10
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Scan-Signature: 8ae29cfe0e7acab0c1a6d8f3d15a0178
X-Mailman-Approved-At: Tue, 16 Nov 2010 16:14:26 -0800
Cc: Dawn Song <dawnsong@cs.berkeley.edu>, John Mitchell <mitchell@cs.stanford.edu>, Peifung Eric Lam <pflam@cs.stanford.edu>, Devdatta Akhawe <devdatta@eecs.berkeley.edu>, Adam Barth <abarth@gmail.com>
Subject: Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2010 01:51:40 -0000
Hi, We are a group of university researchers and have been applying a formal approach to analyze web security protocols. Devdatta gave a talk at IIW at Mountain View last week about our work, and a summary of our earlier results can be found at http://theory.stanford.edu/~jcm/papers/browsermodel-csf-2010.pdf . While analyzing OAuth specifications (2.0/1.0/WRAP), we found that a vulnerability exists that can be exploited to carry out DDOS attacks. Under the current specifications, such attacks are difficult to differentiate from legitimate and non-malicious connections, so rate-limiting based on user identities or machine fingerprinting are likely to be ineffective. A tentative solution is proposed at the end of this email. Any feedback is welcome! Best, Peifung Eric Lam ===== In the OAuth 2.0 and the OAuth WRAP specifications, we found that in the Web Server/Web App profile, an attacker can send an HTTP request to the redirect URI of a client web application (with an arbitrary authorization code), causing the client to issue an HTTPS request to the OAuth Authorization Server. The revelant sections in OAuth 2.0 Draft 10 are 1.4.1(C), and sections 3 and 4. A slightly modified attack can be mounted against OAuth 1.0 as specified in RFC 5849. >From our initial analysis, this feature of OAuth can be exploited by attackers to launder requests through trusted OAuth clients and launch a DDOS attack on the Authorization Server. Under the current specifications such attacks are difficult to differentiate from legitimate and non-malicious connections, so rate-limiting based on user identities or machine fingerprinting are likely to be ineffective. Specifically, an attacker can bombard the redirect URIs of the web application clients, causing a flood of HTTPS connections to the OAuth Authz Server. This can lead to depletion of resources on the Authz Server and prevent HTTPS connections carrying legitimate payload from reaching the Authz Server. During such an attack, all that the Authz Server learns (based on the 1.0, 2.0, and WRAP specs), is that a) each request comes from a registered web site which may have legitimate business making such a request, and b) the tokens conveyed in each request. However, as the attacker can issue authorization codes that are just (pseudo-) random bit strings not tied to any end-user identity, the Authz Server has learned little information regarding the attacker or its machines causing such frivolous connections. A large number of web application clients integrated with the Authz Server can help the attacker obfuscate its sources of attack and make information collection for DDOS defense more difficult. From statistics released by popular websites (such as Facebook), we expect the number of clients can be as high as a million. It seems that if we require the authorization code to be signed by the Authz Server (or HMAC'ed using a shared key between the Authz Server and the Client), and the client verifies the signature or HMAC code first before connecting to the Authz Server, then the above DDOS attack can be largely foiled. Please let us know if you would like to discuss this issue further so that we can devise a clean solution to this problem. Eran Hammer-Lahav <eran@hueniverse.com> wrote: > > The right place to bring this up for discussion is the IETF OAuth mailing list: oauth@ietf.org. > > Thanks! > > EHL