IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

"William J. Mills" <wmills@yahoo-inc.com> Tue, 16 August 2011 01:45 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD0E21F8C64 for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 18:45:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.271
X-Spam-Level:
X-Spam-Status: No, score=-17.271 tagged_above=-999 required=5 tests=[AWL=0.327, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3erlEGUNiKZ for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 18:45:26 -0700 (PDT)
Received: from nm10.bullet.mail.bf1.yahoo.com (nm10.bullet.mail.bf1.yahoo.com [98.139.212.169]) by ietfa.amsl.com (Postfix) with SMTP id 2C06321F8C63 for <oauth@ietf.org>; Mon, 15 Aug 2011 18:45:26 -0700 (PDT)
Received: from [98.139.212.146] by nm10.bullet.mail.bf1.yahoo.com with NNFMP; 16 Aug 2011 01:41:08 -0000
Received: from [98.139.212.217] by tm3.bullet.mail.bf1.yahoo.com with NNFMP; 16 Aug 2011 01:41:08 -0000
Received: from [127.0.0.1] by omp1026.mail.bf1.yahoo.com with NNFMP; 16 Aug 2011 01:41:08 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 110577.91703.bm@omp1026.mail.bf1.yahoo.com
Received: (qmail 96604 invoked by uid 60001); 16 Aug 2011 01:41:07 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313458867; bh=QXmK04Lf8DPksbGxtWEByFFOjW92zZEupoBYSG/VvzU=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=gEqLDrX9NCXraDvyxH8p6MAjkPbUj365jG2sAGMGyzdDYa4ZLLoE/ly/8XVVMWkpU+6kFn4P6aTQzx+Sns1eNgsDs3heaogkjVgU49GtsbILNI/IkhBMjmgsL7WtlPHS1pG4I+DImnv2S5fNoNfBf40EyfcvISYt5nRYlhWN2cU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=TLHP6X4Dm0ZxRmla1kIWwk4Du3IQ3PhiuOfYOcC57vevKXrk/NX407VQVlgYA8jNBJrQu63pHVH6KnRNzqpakspt6/eZFHo5ssbbvr2Ly4vNKDJweMvFWpF2E2evYRm4ojn/g2p8OYMBnmdwNNg2JpsEk1snwFe3nC56eusri+k=;
X-YMail-OSG: AnPCbnIVM1npc38pmczyWDrek6jNLgfDaMI3oR8Lbt0xrg. d.2y0d1Z5FM7MRPbeTumngZo.S5tkXkUUR_H0z443BISeVCzoiuGJEcXdCbg Eoo8HIFJBK8KvV_ExTT6DIn.Fs3zwMWlEIkJYPX_IfpkpCG8.MhYnANAaZoJ m_1EfXx27tEGqOHVqFp3Pkb6742obUPpWewmtCvByGgHMu6fN747d.aNB2.q S0VWQ9ZWhIhATyEMYo8MjBPFtWl9cDAX1QNJ79XCP8tO3WqOg7BrvoDtc0pa hHieJRlhiLXDUnyyAJSMVe0mOt7M9L4bsHzX1xKgV5EMHnpSHZcMbZqzR16h Zi7F89AuM4Pv6156DETGaw71XGb9m69sW1zMg4OX_SBqO3i_4hSZhZ4JJuaK Gttg1JXJFsmoJ7w32sBWll12R4FhSBMbRPfdqLZOCjw--
Received: from [209.131.62.113] by web31804.mail.mud.yahoo.com via HTTP; Mon, 15 Aug 2011 18:41:07 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <4E46207A.6080404@lodderstedt.net> <CA6BD89B.17E85%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com> <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com> <1313428049.81355.YahooMailNeo@web31811.mail.mud.yahoo.com>
Message-ID: <1313458867.58222.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Mon, 15 Aug 2011 18:41:07 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: "William J. Mills" <wmills@yahoo-inc.com>, Barry Leiba <barryleiba@computer.org>, Anthony Nadalin <tonynad@microsoft.com>
In-Reply-To: <1313428049.81355.YahooMailNeo@web31811.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-981699020-1313458867=:58222"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>, "eran@sled.com" <eran@sled.com>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2011 01:45:27 -0000

After thinking about this and getting on the phone with Eran, I think making "state" required isn't right (because we're dictating one solution/format to no real point), but CSRF protection *is* REQUIRED.  I also think that we're probably not sufficiently clear about which state parameter we're talking about, since we have 2, but that's a different question). The core of the problem described 
in the first message of this topic is a plain CSRF vulnerability of the 
redirect URI.  Alice's (our victim) browser visits the malicious 
redirect URI, presents her credential, and the bad thing happens.

I'm proposing a 3rd variant.  The original -20 text is included below, it's closer to where I think we should be.  This leans on a rather fuzzy-term "non-guessable" but I'm OK with it if no on else objects.



10.12.  Cross-Site Request Forgery

Cross-site request forgery (CSRF) 
is an attack whereby malicious URLs are sent to the user-agent of an end user (generally as hidden links or images) and transmitted from the 
user-agent the server trusts or has authenticated. The most commonly exploited mechanism for this is credentials held in cookies automatically presented by a web browser.  CSRF attacks against the client's redirection URI allow 
an attacker to inject their own authorization code or access token, 
which can result in the client using an access token associated with the attacker's account rather than the victim's.  CSRF 
attacks are also possible against an authorization endpoint.  

Client applications MUST implement CSRF protection for the redirection URI.  CSRF protection for a request is data included in the request that ties that request to the user's authenticated state, i.e. a cryptographic signature of the user credential and the redirection URI path.  Upon receipt of a request the client application computes the CSRF data based on the presented credential and compares that to the CSRF protection data presented in the request.  CSRF protection data MUST contain a non-guessable value, and the client MUST keep it in a 
location accessible only by the client or the user-agent (i.e., 
protected by same-origin policy). The "state" redirection URI parameter is provided as one method of carrying CSRF protection data, and is RECOMMENDEDto provide the greatest compatibility with systems implementing strong redirection URI validation.  


It is strongly RECOMMENDED that 
the client includes the "state" request parameter with authorization 
requests to the authorization server.  The "state" request parameter 
MUST contain a non-guessable value, and the client MUST keep it in a 
location accessible only by the client or the user-agent (i.e., 
protected by same-origin policy). 


For example, using a DOM variable, HTTP cookie, or HTML5 client-side 
storage.  The authorization server includes the value of the "state" 
parameter when redirecting the user-agent back to the client which MUST 
then ensure the received value matches the stored value. 




Original -20 text:


10.12.  Cross-Site Request Forgery

Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from the user-agent of an end-user the server trusts or has authenticated.  CSRF attacks on the authorization endpoint can allow an attacker to obtain authorization without the consent of the resource owner. 


The "state" request parameter SHOULD be used to mitigate against CSRF attacks, particularly for login CSRF attacks.  CSRF attacks against the client's redirection URI allow an attacker to inject their own authorization code or access token, which can result in the client using an access token associated with the attacker's account rather than the victim's.  Depending on the nature of the client and the protected resources, this can have undesirable and damaging effects. 


It is strongly RECOMMENDED that the client includes the "state" request parameter with authorization requests to the authorization server.  The "state" request parameter MUST contain a non-guessable value, and the client MUST keep it in a location accessible only by the client or the user-agent (i.e., protected by same-origin policy). 


For example, using a DOM variable, HTTP cookie, or HTML5 client-side storage.  The authorization server includes the value of the "state" parameter when redirecting the user-agent back to the client which MUST then ensure the received value matches the stored value. 



________________________________
From: William J. Mills <wmills@yahoo-inc.com>
To: Barry Leiba <barryleiba@computer.org>; Anthony Nadalin <tonynad@microsoft.com>
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>; "eran@sled.com" <eran@sled.com>
Sent: Monday, August 15, 2011 10:07 AM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack


I'm a -1 on both of these until I re-read the attack description and really parse this again.  Perhaps I'm being confused by the usage of "client" here.  My initial reaction is that any time we are relying on the client to protect itself from CSRF it is a mistake.

I do think that CSRF protection is REQUIRED, the remaining question is whether it's reasonable to force folks to use the state parameter.  My gut says it's not unreasonable to force this simple model.


I also don't particularly like either CSRF description used.  As I've said before I think there are better discussions of it out there.

More later when I have more time to think on this.

-bill



________________________________
From: Barry Leiba <barryleiba@computer.org>
To: Anthony Nadalin <tonynad@microsoft.com>
Cc: "eran@sled.com" <eran@sled.com>; "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Sent: Monday, August 15, 2011 8:06 AM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:
> That's nice, four people come up with text and you decide to use your text.
> Making state optional does nothing to fix the protocol issue, people will get
> this wrong and have. Our developers have been through this and agreed
> upon the text that was generated. They find the text in the current draft
> unacceptable and confusing and think that new text is acceptable.

I have to agree with what Tony says above.  The text proposed in his
message was agreed upon by several WG participants, and unless there's
some significant objection to it I think we should use it in the -21
version, subject to final WG review.

Barry, as chair
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email