IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

Phillip Hunt <phil.hunt@oracle.com> Sun, 14 August 2011 05:54 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 152D621F8841 for <oauth@ietfa.amsl.com>; Sat, 13 Aug 2011 22:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.555
X-Spam-Level:
X-Spam-Status: No, score=-2.555 tagged_above=-999 required=5 tests=[AWL=-1.353, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2pAtjaea5mL5 for <oauth@ietfa.amsl.com>; Sat, 13 Aug 2011 22:54:49 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id E934A21F8742 for <oauth@ietf.org>; Sat, 13 Aug 2011 22:54:48 -0700 (PDT)
Received: from rtcsinet22.oracle.com (rtcsinet22.oracle.com [66.248.204.30]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p7E5tRqH028341 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 14 Aug 2011 05:55:29 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by rtcsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p7E5tOlM020075 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 14 Aug 2011 05:55:25 GMT
Received: from abhmt111.oracle.com (abhmt111.oracle.com [141.146.116.63]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p7E5tJ4K012527; Sun, 14 Aug 2011 00:55:19 -0500
Received: from [192.168.1.67] (/24.87.204.3) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 13 Aug 2011 22:55:19 -0700
References: <CA6BD818.17E81%eran@hueniverse.com> <B478E5DF-6B05-4BAA-ACF3-B5C7C7B1F1AA@oracle.com> <1313295383.69882.YahooMailNeo@web31808.mail.mud.yahoo.com>
In-Reply-To: <1313295383.69882.YahooMailNeo@web31808.mail.mud.yahoo.com>
Mime-Version: 1.0 (iPhone Mail 8L1)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-16--13328470"
Message-Id: <4DE6F907-E45B-4F70-9CE7-FF58ABE13BF6@oracle.com>
X-Mailer: iPhone Mail (8L1)
From: Phillip Hunt <phil.hunt@oracle.com>
Date: Sat, 13 Aug 2011 22:55:18 -0700
To: "William J. Mills" <wmills@yahoo-inc.com>
X-Source-IP: rtcsinet22.oracle.com [66.248.204.30]
X-CT-RefId: str=0001.0A090206.4E476351.002E,ss=1,re=-2.300,fgs=0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2011 05:54:50 -0000

No. I don't think so. In the new variant the client has to check the returned state to confirm it has not changed or associated with a different user.  

Previously the authz server had to do the checks. 

Phil

On 2011-08-13, at 21:16, "William J. Mills" <wmills@yahoo-inc.com> wrote:

> The defense is the same though, correct?
> 
> From: Phil Hunt <phil.hunt@oracle.com>
> To: Eran Hammer-Lahav <eran@hueniverse.com>
> Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
> Sent: Saturday, August 13, 2011 4:41 PM
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
> 
> There are two CSRF variations scenarios that I see.
> 
> I can attack you and give my client access to your resources (original attack on the "resource").
> 
> I can attack you and give your client access to my resource (new attack on the "client").
> 
> Attack on the client vs. attack on the resource may be misleading here.  Draft 20 only referred to attacks on the "resource" in its original CSRF description.
> 
> Phil
> 
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> 
> 
> 
> 
> 
> On 2011-08-13, at 7:30 AM, Eran Hammer-Lahav wrote:
> 
>> All OAuth CSRF attacks are on the client.
>> 
>> EHL
>> 
>> From: Phil Hunt <phil.hunt@oracle.com>
>> Date: Sat, 13 Aug 2011 00:21:50 -0700
>> To: Torsten Lodderstedt <torsten@lodderstedt.net>
>> Cc: Eran Hammer-lahav <eran@hueniverse.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>>> +1 (to putting more detail in the Threat Model document)
>>> 
>>> Yes, this is another CSRF attack (hence the change to 10.2). 
>>> 
>>> What is *new* is this is an attack on the client application rather than the resource server. As such, I agree this new attack vector is well deserving of wider review and discussion before finalizing the draft.
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 2011-08-12, at 11:58 PM, Torsten Lodderstedt wrote:
>>> 
>>>> 
>>>> 
>>>> Am 12.08.2011 23:52, schrieb Eran Hammer-Lahav:
>>>>> 
>>>>> This is really just a flavor of CSRF attacks. I have no objections to better documenting it (though I feel the current text is already sufficient), but we can't realistically expect to identify and close every possible browser-based attack. A new one is invented every other week.
>>>>> 
>>>>> The problem with this text is that developers who do no understand CSRF attacks are not likely to implement it correctly with this information. Those who understand it do not need the extra verbiage which is more confusing than helpful.
>>>> 
>>>> We are constantly facing the fact that a comprehensive description of security threats needs more space than we have in the core draft. That's the reason why the security document has 63 pages and that's also the reason why we decided to let the core spec refer to this document for in-depth explanations. This holds true for this threat as well.
>>>> 
>>>> regards,
>>>> Torsten. 
>>>> 
>>>>> 
>>>>> As for the new requirements, they are insufficient to actually accomplish what the authors propose without additional requirements on state local storage and verification to complete the flow. Also, the proposed text needs clarifications as noted below.
>>>>> 
>>>>> 
>>>>> From: Anthony Nadalin <tonynad@microsoft.com>
>>>>> Date: Fri, 12 Aug 2011 12:06:36 -0700
>>>>> To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
>>>>> Subject: [OAUTH-WG] Auth Code Swap Attack
>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> Recommended Changes to draft-ietf-oauth-v2
>>>>>>  
>>>>>> In section 4, request options (e.g. 4.1.1) featuring "state" should change from:
>>>>>>  
>>>>>> state
>>>>>> OPTIONAL. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.
>>>>>>  
>>>>>> to:
>>>>>>  
>>>>>> state
>>>>>> REQUIRED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The encoded value SHOULD enable the client application to determine the user-context that was active at the time of the                      request (see section 10.12). The value MUST NOT be guessable or predictable, and MUST be kept confidential.
>>>>>>

v2.23.0 | Report a Bug | By Email