IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP: Threat Model

Philippe De Ryck <philippe@pragmaticwebsecurity.com> Mon, 04 May 2020 19:28 UTC

Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 726F03A092B for <oauth@ietfa.amsl.com>; Mon, 4 May 2020 12:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b=fmNcmFUA; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=vZey5kEp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ARJCt2xuXJyS for <oauth@ietfa.amsl.com>; Mon, 4 May 2020 12:28:03 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF953A0F55 for <oauth@ietf.org>; Mon, 4 May 2020 12:27:46 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 051D44C5; Mon, 4 May 2020 15:27:44 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 04 May 2020 15:27:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=from:message-id:content-type :mime-version:subject:date:in-reply-to:cc:to:references; s=fm3; bh=6Zt0zyExtQfhPQM8QNM9/FWfDa8yUobo0Ir0gNSVjmk=; b=fmNcmFUAhumy /2PLVYbTNKCDAmpOvJfnkHFwzuz1LgWirRDfpGhKXiCZLgZykRHSMF5BUaWoMPeS eYbjknWxdxRIo9ioZC/k+42ZVg/pgfg9rCuxlBUPQX36HQtZSfqKZAviD+N/EBBb wkr9stMUZnOYEIsCjIl8e30NlkfE4MxNlBCbCPYTE1QK7wjsBpyORmY4W11JWDZm xjG5K/6u6MyvPq9+NYNncoeL10PLXM5C9OE9rsDSOoT9TT/8PGlToh/63xD1w7Cc NnAm1Hdi6bSrpyEByxtGngyiKz0i46p74lYwA5zeoLJbdD5lWaRqVTkkAhwpgzSh 2bf0eLde+w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=6Zt0zy ExtQfhPQM8QNM9/FWfDa8yUobo0Ir0gNSVjmk=; b=vZey5kEp81TKoPXnVKM6K0 Dd59D6+jJ7v5ofrOgGPoIEaH1CsR3AlxQ7TGWHlXVFZ4PV0pi/c84PDv3b9vEu13 35YmyyhsXU2dZ/iBKm5DMIYZ5aeemJY3Q98x7wmYgOFXSyOJycXRQjNYoZqgqkxS B+S2BGvhiCEvItQpL3cEdG2k/curBXISQmUPGOilNC8/hbc4Duly6BPAsJrb8MSh WXUZb2Ck8a5o/tmP9xq+ESRTeUBZUPDFcGBmAh9Um6T2q3Z4oKGbiGj2WSZfd7JC 2rqtay23Y1N52/5ODGXaoYrirjjshyMCjJk5LKa2qW4BRRPjsVtdCxCaUHgLfbzw ==
X-ME-Sender: <xms:sGywXvLhl__nr-PouwzxW5D1kKlfcRGw0rHbo_wqanSSKtnc3J4BaA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeeggdduvdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnecujfgurhephffktgggufffjgfvfhfo segrtdhmrehhtdejnecuhfhrohhmpefrhhhilhhiphhpvgcuffgvucfthigtkhcuoehphh hilhhiphhpvgesphhrrghgmhgrthhitgifvggsshgvtghurhhithihrdgtohhmqeenucgg tffrrghtthgvrhhnpeeugffgledtieelveelkefhgfdthfelfffgkeeukefhtefhjeeike ffjeejfeejleenucffohhmrghinhepsggvvghfphhrohhjvggtthdrtghomhdpphhrrghg mhgrthhitgifvggsshgvtghurhhithihrdgtohhmpdhhthhtphhonhhlhigtohhokhhivg hgrghsphdrhihouhdpghhithhhuhgsrdhiohdpihgvthhfrdhorhhgnecukfhppeelgedr vddvhedrhedrudeivdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehphhhilhhiphhpvgesphhrrghgmhgrthhitgifvggsshgvtghurhhithih rdgtohhm
X-ME-Proxy: <xmx:sGywXvWNvV5NT9nuL28-6zoYH-HVkBuoDrGDkt-48S68es9YkXUNvA> <xmx:sGywXqlFunI62VHiT4mY6sypA8UuDjXbzbrm8FRDYZnQT6_bvIVCcQ> <xmx:sGywXnCBtdV_S3xjgJgnzmS2EigGL7mjnBFlpoZo8R4TQOJE4iPG-w> <xmx:sGywXv4l-TSRRZD05jz4siRvRDshX0iMDuCBGo0gCaI7WLmT9bogfA>
Received: from imacvanphilippe.localdomain (94-225-5-162.access.telenet.be [94.225.5.162]) by mail.messagingengine.com (Postfix) with ESMTPA id 7F9273280069; Mon, 4 May 2020 15:27:43 -0400 (EDT)
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Message-Id: <F0001BCC-29D5-4525-89CE-0BEF0E835333@pragmaticwebsecurity.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C3242332-B3DE-4B28-B143-95E69A5ADFD2"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 04 May 2020 21:27:42 +0200
In-Reply-To: <b5645470-67db-c18d-28b8-2cf4df06a03d@danielfett.de>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth@ietf.org
To: Daniel Fett <fett@danielfett.de>
References: <9ee75fc4-c134-1a36-1fa3-4c42887dc438@danielfett.de> <1427A993-02B5-4444-9FD5-0E62A32D2AF4@forgerock.com> <b5645470-67db-c18d-28b8-2cf4df06a03d@danielfett.de>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SI5NVpaBK6f91YPJe1plwr_bIuc>
Subject: Re: [OAUTH-WG] DPoP: Threat Model
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 19:28:06 -0000

>> (https://beefproject.com <https://beefproject.com/>) rather than exfiltrating tokens/proofs.
> As a sidenote: BeEF is not really XSS but requires a full browser compromise.
> 

No, it’s not. The hook for BeEF is a single JS file, containing a wide variety of attack payloads that can be launched from the command and control center. You can combine BeEF with Metasploit to leverage an XSS to exploit browser vulnerabilities and break out.

FYI, the name for the attack where the attacker proxies calls through the user’s browser is known as Session Riding. 

Just keep in mind that once an attacker has an XSS foothold, it is extremely hard to prevent abuse. The only barrier that cannot be broken (in a secure browser) is the Same Origin Policy. Keeping tokens and metadata in a separate environment (e.g., iframe, worker, …) is effective to keep them out of reach. However, once the app “extracts” data from such a context, the same problem arises. By rewriting JS functions, the attacker can extract tokens from deep within an SDK, as I discuss here: https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html <https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html>

Kind regards

Philippe
> Thanks for the feedback!
> 
> -Daniel
> 
> 
> 
>> You can protect against exfiltration attacks by e.g. token binding the DPoP proofs and/or access token, or storing the access token in a HttpOnly cookie (gasp!). You can protect against exfiltrating post-dated DPoP proofs by storing the private key in a separate origin loaded in an iframe that you use postMessage to ask for proof tokens so the attacker is not in control of those claims. Nothing really protects against an attacker proxying requests through your browser, so this is purely post-compromise recovery rather than an actual defence against XSS.
>> 
>> — Neil
>> 
>>> On 4 May 2020, at 18:24, Daniel Fett <fett@danielfett.de <mailto:fett@danielfett.de>> wrote:
>>> 
>>> Hi all,
>>> 
>>> as mentioned in the WG interim meeting, there are several ideas floating around of what DPoP actually does.
>>> 
>>> In an attempt to clarify this, if have unfolded the use cases that I see and written them down in the form of attacks that DPoP defends against: 
>>> https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html <https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html>
>>> Can you come up with other attacks? Are the attacks shown relevant?
>>> 
>>> Cheers,
>>> Daniel
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email