IETF Logo Mail Archive

Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)

Niv Steingarten <nivstein@gmail.com> Fri, 19 August 2011 01:06 UTC

Return-Path: <nivstein@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29F0B21F84F2 for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 18:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.582
X-Spam-Level:
X-Spam-Status: No, score=-3.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LT5-gINl6CJp for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 18:06:03 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 01B3921F8586 for <oauth@ietf.org>; Thu, 18 Aug 2011 18:06:02 -0700 (PDT)
Received: by vxi29 with SMTP id 29so2710425vxi.31 for <oauth@ietf.org>; Thu, 18 Aug 2011 18:06:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=XtL5CTra7fsQpQnJu2B0Y7buEHnqaoSqapqk3l/UTJA=; b=jrv1vWlD+7rGObYfNx/BlIQdcuOBYgUluxt1VFd5JUGHBnscUtO8XuSxrU+TdySbqG sHv+N1Q/YJpQz2Xo3u3jGJGFAfXyRTILb+lRwOml5mF42psg5KYArejgGzxxU5w5bWAM 6eF1z19c0LP3yHYZkxrE/BncrGcAFw4wdIoCM=
Received: by 10.52.26.97 with SMTP id k1mr1569327vdg.523.1313716018074; Thu, 18 Aug 2011 18:06:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.107.170 with HTTP; Thu, 18 Aug 2011 18:06:38 -0700 (PDT)
In-Reply-To: <1313711215.67102.YahooMailNeo@web31808.mail.mud.yahoo.com>
References: <b7df18688b7612cb85418ed587b80044@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoYO5NJrGNAHJsHennt_si+DTdA0QuLps8UBvMb=aLVoA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA22@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoJR2yFBBzjqT4nbGt28PDu4yFEYTnV9c893FAAuqvT+g@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA5B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuqCx2Nv_OEAx30HZEqbx58zxhWweOMctaxp2E3S3rDWig@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA81@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoQuQGemjv0r2PzDBSD1D9XJjQo9cjZCs5-jxFbNc4JNA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAAD7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuo7yxuBKb4xU=cW3ESGvQ=PKpjSa2T9+=fUx-n5KYTLrQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAB5B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuq57WMStne1pH-7akD9Jh8=wyj-WZ2U70jd=ej3TYvnkw@mail.gmail.com> <1313711215.67102.YahooMailNeo@web31808.mail.mud.yahoo.com>
From: Niv Steingarten <nivstein@gmail.com>
Date: Fri, 19 Aug 2011 04:06:38 +0300
Message-ID: <CACEVmuodMBVPKjZ4JmF7bUsaZjmbY1rzSd+gYt+Hktv2BwTP-g@mail.gmail.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2011 01:06:04 -0000

I suppose you're talking about this:
http://www.ietf.org/mail-archive/web/oauth/current/msg07275.html

It is indeed more complete w.r.t. CSRF attacks on the client's
redirection URI, but it does not address CSRF attacks on the
authorization server.

I believe something along the lines of the text I proposed could be
combined in whichever text is eventually decided upon.

-- Niv


On Fri, Aug 19, 2011 at 02:46, William J. Mills <wmills@yahoo-inc.com> wrote:
> I proposed text that I think is more complete in a previous message...
> ________________________________
> From: Niv Steingarten <nivstein@gmail.com>
> To: Eran Hammer-Lahav <eran@hueniverse.com>
> Cc: "oauth@ietf.org" <oauth@ietf.org>
> Sent: Thursday, August 18, 2011 4:33 PM
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
> How about add something like this as the second paragraph in 10.12:
>
>   The authorization server SHOULD employ measures to prevent CSRF
>   attacks on the authorization endpoint. A non-guessable token SHOULD
>   be included in requests and form submissions within the authorization
>   server's internal authorization flow. This token MUST NOT be
>   accessible by the client. In addition, the authorization server may
>   make use of HTTP referrer headers in order to verify the origin of
>   requests made during the authorization flow.
>
> In addition, I think that:
>
>   The "state" request parameter SHOULD be used to mitigate against CSRF
>   attacks, ...
>
> should be changed to:
>
>   The "state" request parameter SHOULD be used to mitigate against CSRF
>   attacks against the client's redirection URI, ...
>
> so that the fact that the 'state' parameter protects against CSRF
> attacks on the *client*, as opposed to CSRF on the *authorization
> server*, is made explicit.
>
> -- Niv
>
>
> On Fri, Aug 19, 2011 at 00:13, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
>>
>>
>>> -----Original Message-----
>>> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> Sent: Thursday, August 18, 2011 1:04 PM
>>> To: Eran Hammer-Lahav
>>> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>>> Impersonation)
>>>
>>> On Thu, Aug 18, 2011 at 22:19, Eran Hammer-Lahav <eran@hueniverse.com>
>>> wrote:
>>> >
>>> >
>>> >> -----Original Message-----
>>> >> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> >> Sent: Thursday, August 18, 2011 12:12 PM
>>> >> To: Eran Hammer-Lahav
>>> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>>> >> Impersonation)
>>> >>
>>> >> On Thu, Aug 18, 2011 at 21:17, Eran Hammer-Lahav
>>> >> <eran@hueniverse.com>
>>> >> wrote:
>>> >> >
>>> >> >
>>> >> >> -----Original Message-----
>>> >> >> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> >> >> Sent: Thursday, August 18, 2011 11:08 AM
>>> >> >> To: Eran Hammer-Lahav
>>> >> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> >> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>>> >> >> Impersonation)
>>> >> >>
>>> >> >> On Thu, Aug 18, 2011 at 20:31, Eran Hammer-Lahav
>>> >> >> <eran@hueniverse.com>
>>> >> >> wrote:
>>> >> >> >
>>> >> >> >
>>> >> >> >> -----Original Message-----
>>> >> >> >> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> >> >> >> Sent: Thursday, August 18, 2011 10:16 AM
>>> >> >> >> To: Eran Hammer-Lahav
>>> >> >> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> >> >> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource
>>> >> >> >> Owner
>>> >> >> >> Impersonation)
>>> >> >> >>
>>> >> >> > Can you provide another example with the same level of detail as
>>> >> >> > you
>>> >> >> provided below?
>>> >> >>
>>> >> >> The malicious client sends a request to the authorization endpoint
>>> >> >> with the appropriate parameters, and in return receives the markup
>>> >> >> of the web-page which should be displayed to the user in order to
>>> >> >> get consent. In addition, since the request is launched not via a
>>> >> >> sandboxed user-agent, the client also has access to any
>>> >> >> 'Set-Cookie'
>>> >> >> HTTP headers.
>>> >> >>
>>> >> >> Instead of displaying the page to the user, the client extracts
>>> >> >> the web-form data (including the hidden nonce/token) which would
>>> >> >> be submitted when 'Allow' is clicked. It then forges the
>>> >> >> appropriate POST request with the cookies, form data and referrer,
>>> >> >> and dispatches it,
>>> >> >
>>> >> > SCENE MISSING [1]
>>> >> >
>>> >> >> to finally receive an access token/authorization code in the
>>> >> >> redirection.
>>> >> >
>>> >> > You skipped the best part!
>>> >> >
>>> >> > What do you mean by "dispatches it"? How is the resource owner
>>> >> > tricked
>>> >> or abused to grant authorization unknowingly? I understand how your
>>> >> proposal "fixes" the first half, but not what kind of attack is
>>> >> happening in the second half.
>>> >> >
>>> >>
>>> >> I might have accidentally skipped the part where the user is already
>>> >> logged in at the authorization endpoint, so no log-in is required but
>>> >> rather just allowing/denying access (correction: the first request is
>>> >> sent using an HTTP framework/WebKit, so no access to cookies). Once
>>> >> it extracts the data from the web-form, the client has all the
>>> >> information it needs in order to create an HTTP request
>>> >
>>> > No - the attacker does not have access to the session cookie. It still
>>> > needs
>>> to find a way to make a CSS call.
>>> >
>>>
>>> That's what I said -- "no access to cookies".
>>
>> You only said that about the first request.
>>
>>> But since both requests (the one
>>> requesting the auth endpoint and the one simulating the
>>> "allow") are sent from the same user-agent, the cookies are handled by
>>> the
>>> user-agent itself. The client just POSTs the request with the appropriate
>>> parameters to the action endpoint of the form.
>>
>> That's not exactly right.
>>
>> This entire attack is based on:
>>
>> 1. The presence of some session cookie or other user-agent state to bypass
>> active authentication, and
>> 2. The ability of the malicious client to make CSS calls using #1.
>>
>> Everything else is a red herring because the ability to automate this
>> attack and make it more powerful is completely beside the point. If you
>> deploy an effective CSRF protection, everything else is a non-issue.
>>
>> This is why the client type does not matter when it comes to not using
>> CORS. The authorization server MUST NOT allow CSS calls on the authorization
>> endpoint because that's the actual attack you described - using local state
>> (session cookie) to make a CSS call. If the client makes direct calls to the
>> authorization endpoint, it cannot impersonate the resource owner.
>>
>>> >> and launch it using the same HTTP framework/WebKit, simulating the
>>> >> "Allow" button.
>>> >
>>> > This is still just a CSRF attack.
>>> >
>>>
>>> I think you may be right. I still believe this particular style of attack
>>> on the
>>> authorization server is worth mentioning, be it in its own separate
>>> section or
>>> under the existing CSRF section (as you suggested).
>>
>> This is not a style of attack but techniques to enhance other exploits, in
>> this case, CSRF. If you lack CSRF protection, then yes, lack of resource
>> owner forced interaction will make it easier to execute. But that's just a
>> tiny speed bump considering the actual exploit.
>>
>> I don't see any reason to include this new text based on this threat
>> analysis.
>>
>> However, this doesn't mean this discussion wasn't useful. We did identify
>> the need to explicitly discuss CSRF attacks on the authorization endpoint.
>> We need to explicitly separate the two target of CSRF attacks (client,
>> server) because while the solution is the same, the implementation is very
>> different (due to the use of redirections in one).
>>
>> EHL
>>
>>
>>
>>
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.14.0 | Report a Bug | By Email