IETF Logo Mail Archive

Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)

"William J. Mills" <wmills@yahoo-inc.com> Fri, 19 August 2011 04:20 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A70221F86EC for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 21:20:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.249
X-Spam-Level:
X-Spam-Status: No, score=-17.249 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Q0iG7kC+cFw for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 21:20:30 -0700 (PDT)
Received: from nm12.bullet.mail.ac4.yahoo.com (nm12.bullet.mail.ac4.yahoo.com [98.139.52.209]) by ietfa.amsl.com (Postfix) with SMTP id B292521F86DD for <oauth@ietf.org>; Thu, 18 Aug 2011 21:20:28 -0700 (PDT)
Received: from [98.139.52.195] by nm12.bullet.mail.ac4.yahoo.com with NNFMP; 19 Aug 2011 04:21:20 -0000
Received: from [98.139.52.167] by tm8.bullet.mail.ac4.yahoo.com with NNFMP; 19 Aug 2011 04:21:20 -0000
Received: from [127.0.0.1] by omp1050.mail.ac4.yahoo.com with NNFMP; 19 Aug 2011 04:21:20 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 563529.83434.bm@omp1050.mail.ac4.yahoo.com
Received: (qmail 4699 invoked by uid 60001); 19 Aug 2011 04:21:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313727679; bh=/ZmwV6ywDK0mM+sCn76UijHcRWHoDUJLAwx5kULrznM=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=U5aUiorHz9pA+visS7OnamHS5tay3hGZvB0bv34pWiljVdpJgBe4jjtGnJBVQNPU5V9oGLmaosdTsc1jbn1gLkFCxwWez2dKhaHsQfspGlxU7HJB0j7Zg4ZqhqAnCyDjvk/RU+7ZsM9vwbO+ENG2Y4A/9WJWPGp3lY35npKNl94=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=XFa/Ljjf1Guz8Gb6GWNvQbXju2i9Mwqp/DKU0AvrF9hSW2s+KeeteSQ+yEpYiXVCw07Ta4rSoBF74YbmKx083M8lNCIziVXylUrlbWIkRk+BbLunyAQf8Ua2ulSdF+t4k0XZwD46RJTkZ7lnkAOq6XdVJ9wJ06LnNCE/SoJOFMg=;
X-YMail-OSG: rheT.jMVM1mEpbs1GUGAHRkkQFeo6NZyrnldYQfcqm42.Xr CwztZU6FAvkcwlATtWjjJi3yrLjptrR.6ST63Axab9VwH8mDOx7GG8c107MH RjUh_2r3Uq1S0qitb4uTPPu.0BVkZ3Ok5odqfZa5pUYqWcsy1_3VuNGQneNN ccLFIKDsjbSeQztQ84v0W_U4OEwFhcL_d68Qf5TO1ctQToRNHpJd_687XB7v S.xsJV8E7F5HCkUupt8SlPT7xoX1zrrFi2NXCG.rizpVSMU6npP4QmsEMmXs z9K9rPwfPCda2cBhmMsJDmV0zwFZaey8Mjyij7cCem6iaqKlt1aEQLT3eVZp w7DF71W_ku6yYTQIbSvZqDd_v67upnw.AmvheNzHeOBCvBKXtwtOTeZhVu.y fKsl0xmIN77LOVdi.9erK
Received: from [99.31.212.42] by web31802.mail.mud.yahoo.com via HTTP; Thu, 18 Aug 2011 21:21:19 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.114.317681
References: <b7df18688b7612cb85418ed587b80044@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoYO5NJrGNAHJsHennt_si+DTdA0QuLps8UBvMb=aLVoA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA22@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoJR2yFBBzjqT4nbGt28PDu4yFEYTnV9c893FAAuqvT+g@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA5B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuqCx2Nv_OEAx30HZEqbx58zxhWweOMctaxp2E3S3rDWig@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA81@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoQuQGemjv0r2PzDBSD1D9XJjQo9cjZCs5-jxFbNc4JNA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAAD7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuo7yxuBKb4xU=cW3ESGvQ=PKpjSa2T9+=fUx-n5KYTLrQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAB5B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuq57WMStne1pH-7akD9Jh8=wyj-WZ2U70jd=ej3TYvnkw@mail.gmail.com> <1313711215.67102.YahooMailNeo@we b31808.mail.mud.yahoo.com> <CACEVmuodMBVPKjZ4JmF7bUsaZjmbY1rzSd+gYt+Hktv2BwTP-g@mail.gmail.com>
Message-ID: <1313727679.93999.YahooMailNeo@web31802.mail.mud.yahoo.com>
Date: Thu, 18 Aug 2011 21:21:19 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Niv Steingarten <nivstein@gmail.com>
In-Reply-To: <CACEVmuodMBVPKjZ4JmF7bUsaZjmbY1rzSd+gYt+Hktv2BwTP-g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-415210984-1313727679=:93999"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2011 04:20:32 -0000

While I agree in principal, I think there are real world use cases that make this more complicated.  If, for example, a user has previously approved access to a particular endpoint then we might be willing to re-issue credentials without user interaction.  I don't know how we capture this in the right way in the spec.



________________________________
From: Niv Steingarten <nivstein@gmail.com>
To: William J. Mills <wmills@yahoo-inc.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>; "oauth@ietf.org" <oauth@ietf.org>
Sent: Thursday, August 18, 2011 6:06 PM
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)

I suppose you're talking about this:
http://www.ietf.org/mail-archive/web/oauth/current/msg07275.html

It is indeed more complete w.r.t. CSRF attacks on the client's
redirection URI, but it does not address CSRF attacks on the
authorization server.

I believe something along the lines of the text I proposed could be
combined in whichever text is eventually decided upon.

-- Niv


On Fri, Aug 19, 2011 at 02:46, William J. Mills <wmills@yahoo-inc.com> wrote:
> I proposed text that I think is more complete in a previous message...
> ________________________________
> From: Niv Steingarten <nivstein@gmail.com>
> To: Eran Hammer-Lahav <eran@hueniverse.com>
> Cc: "oauth@ietf.org" <oauth@ietf.org>
> Sent: Thursday, August 18, 2011 4:33 PM
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
> How about add something like this as the second paragraph in 10.12:
>
>   The authorization server SHOULD employ measures to prevent CSRF
>   attacks on the authorization endpoint. A non-guessable token SHOULD
>   be included in requests and form submissions within the authorization
>   server's internal authorization flow. This token MUST NOT be
>   accessible by the client. In addition, the authorization server may
>   make use of HTTP referrer headers in order to verify the origin of
>   requests made during the authorization flow.
>
> In addition, I think that:
>
>   The "state" request parameter SHOULD be used to mitigate against CSRF
>   attacks, ...
>
> should be changed to:
>
>   The "state" request parameter SHOULD be used to mitigate against CSRF
>   attacks against the client's redirection URI, ...
>
> so that the fact that the 'state' parameter protects against CSRF
> attacks on the *client*, as opposed to CSRF on the *authorization
> server*, is made explicit.
>
> -- Niv
>
>
> On Fri, Aug 19, 2011 at 00:13, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
>>
>>
>>> -----Original Message-----
>>> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> Sent: Thursday, August 18, 2011 1:04 PM
>>> To: Eran Hammer-Lahav
>>> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>>> Impersonation)
>>>
>>> On Thu, Aug 18, 2011 at 22:19, Eran Hammer-Lahav <eran@hueniverse.com>
>>> wrote:
>>> >
>>> >
>>> >> -----Original Message-----
>>> >> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> >> Sent: Thursday, August 18, 2011 12:12 PM
>>> >> To: Eran Hammer-Lahav
>>> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>>> >> Impersonation)
>>> >>
>>> >> On Thu, Aug 18, 2011 at 21:17, Eran Hammer-Lahav
>>> >> <eran@hueniverse.com>
>>> >> wrote:
>>> >> >
>>> >> >
>>> >> >> -----Original Message-----
>>> >> >> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> >> >> Sent: Thursday, August 18, 2011 11:08 AM
>>> >> >> To: Eran Hammer-Lahav
>>> >> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> >> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>>> >> >> Impersonation)
>>> >> >>
>>> >> >> On Thu, Aug 18, 2011 at 20:31, Eran Hammer-Lahav
>>> >> >> <eran@hueniverse.com>
>>> >> >> wrote:
>>> >> >> >
>>> >> >> >
>>> >> >> >> -----Original Message-----
>>> >> >> >> From: Niv Steingarten [mailto:nivstein@gmail.com]
>>> >> >> >> Sent: Thursday, August 18, 2011 10:16 AM
>>> >> >> >> To: Eran Hammer-Lahav
>>> >> >> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>>> >> >> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource
>>> >> >> >> Owner
>>> >> >> >> Impersonation)
>>> >> >> >>
>>> >> >> > Can you provide another example with the same level of detail as
>>> >> >> > you
>>> >> >> provided below?
>>> >> >>
>>> >> >> The malicious client sends a request to the authorization endpoint
>>> >> >> with the appropriate parameters, and in return receives the markup
>>> >> >> of the web-page which should be displayed to the user in order to
>>> >> >> get consent. In addition, since the request is launched not via a
>>> >> >> sandboxed user-agent, the client also has access to any
>>> >> >> 'Set-Cookie'
>>> >> >> HTTP headers.
>>> >> >>
>>> >> >> Instead of displaying the page to the user, the client extracts
>>> >> >> the web-form data (including the hidden nonce/token) which would
>>> >> >> be submitted when 'Allow' is clicked. It then forges the
>>> >> >> appropriate POST request with the cookies, form data and referrer,
>>> >> >> and dispatches it,
>>> >> >
>>> >> > SCENE MISSING [1]
>>> >> >
>>> >> >> to finally receive an access token/authorization code in the
>>> >> >> redirection.
>>> >> >
>>> >> > You skipped the best part!
>>> >> >
>>> >> > What do you mean by "dispatches it"? How is the resource owner
>>> >> > tricked
>>> >> or abused to grant authorization unknowingly? I understand how your
>>> >> proposal "fixes" the first half, but not what kind of attack is
>>> >> happening in the second half.
>>> >> >
>>> >>
>>> >> I might have accidentally skipped the part where the user is already
>>> >> logged in at the authorization endpoint, so no log-in is required but
>>> >> rather just allowing/denying access (correction: the first request is
>>> >> sent using an HTTP framework/WebKit, so no access to cookies). Once
>>> >> it extracts the data from the web-form, the client has all the
>>> >> information it needs in order to create an HTTP request
>>> >
>>> > No - the attacker does not have access to the session cookie. It still
>>> > needs
>>> to find a way to make a CSS call.
>>> >
>>>
>>> That's what I said -- "no access to cookies".
>>
>> You only said that about the first request.
>>
>>> But since both requests (the one
>>> requesting the auth endpoint and the one simulating the
>>> "allow") are sent from the same user-agent, the cookies are handled by
>>> the
>>> user-agent itself. The client just POSTs the request with the appropriate
>>> parameters to the action endpoint of the form.
>>
>> That's not exactly right.
>>
>> This entire attack is based on:
>>
>> 1. The presence of some session cookie or other user-agent state to bypass
>> active authentication, and
>> 2. The ability of the malicious client to make CSS calls using #1.
>>
>> Everything else is a red herring because the ability to automate this
>> attack and make it more powerful is completely beside the point. If you
>> deploy an effective CSRF protection, everything else is a non-issue.
>>
>> This is why the client type does not matter when it comes to not using
>> CORS. The authorization server MUST NOT allow CSS calls on the authorization
>> endpoint because that's the actual attack you described - using local state
>> (session cookie) to make a CSS call. If the client makes direct calls to the
>> authorization endpoint, it cannot impersonate the resource owner.
>>
>>> >> and launch it using the same HTTP framework/WebKit, simulating the
>>> >> "Allow" button.
>>> >
>>> > This is still just a CSRF attack.
>>> >
>>>
>>> I think you may be right. I still believe this particular style of attack
>>> on the
>>> authorization server is worth mentioning, be it in its own separate
>>> section or
>>> under the existing CSRF section (as you suggested).
>>
>> This is not a style of attack but techniques to enhance other exploits, in
>> this case, CSRF. If you lack CSRF protection, then yes, lack of resource
>> owner forced interaction will make it easier to execute. But that's just a
>> tiny speed bump considering the actual exploit.
>>
>> I don't see any reason to include this new text based on this threat
>> analysis.
>>
>> However, this doesn't mean this discussion wasn't useful. We did identify
>> the need to explicitly discuss CSRF attacks on the authorization endpoint.
>> We need to explicitly separate the two target of CSRF attacks (client,
>> server) because while the solution is the same, the implementation is very
>> different (due to the use of redirections in one).
>>
>> EHL
>>
>>
>>
>>
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email