[OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
isciurus <isciurus@gmail.com> Fri, 10 April 2015 23:01 UTC
Return-Path: <isciurus@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463821B2E24 for <oauth@ietfa.amsl.com>; Fri, 10 Apr 2015 16:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ohXX1-fJHdmV for <oauth@ietfa.amsl.com>; Fri, 10 Apr 2015 16:01:13 -0700 (PDT)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EFFE1B2E23 for <oauth@ietf.org>; Fri, 10 Apr 2015 16:01:13 -0700 (PDT)
Received: by ignm3 with SMTP id m3so22808706ign.0 for <oauth@ietf.org>; Fri, 10 Apr 2015 16:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=sALDgBCuu13P2ZJO0KNs2ueVczYg/gki4jVhWsxMMsA=; b=FETkaSVU4QQBdkWdnaqOylr7B6Hgt+Ih2g6MIFlIweOr+7WoH2UTWHG6qo8cL3LMQJ 11ifCdHoREse4nip+39AcgnXip044r78qd9WI4VXMbWC5dkCqt8fN7EfQqgdvGg8kn9/ QbOiygXRkJzYIKPTa0xqfK8MKwrbLB35CuEO99/+3GryOOnhbCkQcoXEUN885IRwhXUM uPG2GgfQbMDMvMLDFntihA77LQi2gVbedzRRWXFcw/qVyRQlF+XxYgywTe6CJiaUzaZ0 B79idSvqtY0QghMIBt7S3ikeEaTYUfQb3ZVPb14gkmm58Y0XxKWgYtVLhUpY2QGt+Ff7 jv3Q==
X-Received: by 10.42.12.197 with SMTP id z5mr6457379icz.71.1428706872582; Fri, 10 Apr 2015 16:01:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.2.202 with HTTP; Fri, 10 Apr 2015 16:00:52 -0700 (PDT)
From: isciurus <isciurus@gmail.com>
Date: Fri, 10 Apr 2015 16:00:52 -0700
Message-ID: <CAAJG_r9yM0okfWyVm0vMSXrrPJigmGWDoF3VeW8X1f=4Xso_Fg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="20cf301d4208a0e754051366bdb2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/OYi6WU3jx2BAVhxNiRIe_chJ--4>
Subject: [OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 23:01:15 -0000
Hi, One of the recent drafts https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.html was brought to my attention. Regarding the part "2.2. Security Compromise: The Authorization Server As Open Redirector": The legitimate OAuth Authorization response will include an access token in the URI fragment. Most web browsers will append the fragment to the URI sent in the location header of a 302 response if no fragment is included in the location URI. This browser behaviour with a url fragment reattaching is indeed used widely in attacks on OAuth (for example, one of the recent on the bitcoin exchange http://sakurity.com/blog/2015/01/10/hacking-bitcoin-exchanger.html) and I am also aware of one attack on OpenID 2 implementation leaking a valid signature using the same technique. We are trying to propose a browser-level protection from sensitive url fragment data reattach on cross-domain redirects: http://lists.w3.org/Archives/Public/ietf-http-wg/2015JanMar/0066.html A new header in the AS response would also block fragment reattach in the following scenario: https://AUTHORIZATION_SERVER/authorize?response_type=token &client_id=good-client&scope=VALID_SCOPE &redirect_uri=https%3A%2F%2AUTHORIZATION_SERVER%Fauthorize %3Fresponse_type%3Dcode %26client_id%3Dattacker-client-id %26scope%3DINVALID_SCOPE %26redirect_uri%3Dhttps%253A%252F%252Fattacker.com But it would additionally block exploitation of vulnerable clients which have open redirects on their domains and don't whitelist their redirect_uri: https://AUTHORIZATION_SERVER/authorize?response_type=token &client_id=good-client&scope=VALID_SCOPE &redirect_uri=https%3A%2F%2good-client.com%Fopen_redirect %3Furl%3Dhttps%253A%252F%252Fattacker.com This can improve the situation with already deployed clients in large scale. Let me know if this proposal is interesting to the OAuth WG. Thanks, Andrey