IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

David Recordon <recordond@gmail.com> Mon, 22 August 2011 01:09 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C27FD21F86B1 for <oauth@ietfa.amsl.com>; Sun, 21 Aug 2011 18:09:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-6LWDt5NfAu for <oauth@ietfa.amsl.com>; Sun, 21 Aug 2011 18:09:40 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 845C521F86AC for <oauth@ietf.org>; Sun, 21 Aug 2011 18:09:33 -0700 (PDT)
Received: by vws12 with SMTP id 12so4624401vws.31 for <oauth@ietf.org>; Sun, 21 Aug 2011 18:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=5d7au0f0M0xN1yDqsN4jl/J0EN1dWp6eDDZt40MijNs=; b=mavV7sJcj61wIufzvoKPhiUBuTB+L5U3Ess9ysNAXiNKD4dJY3zORRs0M9G6C8RHr+ vvMrYiTZTUI0GK7Rt/D6h8Z+j+v27FNYjqoUFbUc3lIqRaaNxefQj8MnaqeRuqUftzFm HYBYF3LpOpsdgDYAbM0DEib993GtP3IjbstP0=
MIME-Version: 1.0
Received: by 10.52.65.168 with SMTP id y8mr1553583vds.16.1313975435235; Sun, 21 Aug 2011 18:10:35 -0700 (PDT)
Received: by 10.52.164.170 with HTTP; Sun, 21 Aug 2011 18:10:35 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234518A292F49@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723BA5043@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA6AE9D9.17DE9%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CE8D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72345029DFA961@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E5148A8.8070903@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234518A292F49@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Sun, 21 Aug 2011 18:10:35 -0700
Message-ID: <CAB_mRgOWL17a_JJ7hZ1xJv5032scJ7fGE=42S=gjeaf_FNds_w@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2011 01:09:49 -0000

So far Facebook has used `state` in examples within our documentation
and strongly recommend it but have not gone so far as to mandate it.

Quoting https://developers.facebook.com/docs/authentication/:
> Cross site request forgery is an attack in which an trusted (authenticated
> and authorized) user unknowingly performs an action on website. To prevent
> this attack, you should pass an identifier in the state parameter, and then
> validate the state parameter matches on the response. We strongly recommend
> that any app implementing Facebook user login implement CSRF protection using
> this mechanism.

I'd rather clearly document this in the spec, strongly recommend a
solution but not mandate this specific parameter.

--David


On Sun, Aug 21, 2011 at 12:02 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> I light to the recent discussion, do you still feel that changing ‘state’
> from optional to required is the best approach?
>
>
>
> EHL
>
>
>
> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> Sent: Sunday, August 21, 2011 11:04 AM
> To: Eran Hammer-Lahav
> Cc: OAuth WG (oauth@ietf.org)
>
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
>
>
> My intention is to require clients to implement CSRF prevention. I thought
> making the state parameter mandatory would be the straightforward way.
>
> regards,
> Torsten.
>
> Am 18.08.2011 08:04, schrieb Eran Hammer-Lahav:
>
> I would like to hear from the other 3 authors of the proposed change about
> their reasons for changing the use of ‘state’ from recommended to required
> for CSRF prevention. It would also help moving this issue forward if the 4
> authors can provide answers or clarifications on the issues raised below.
>
>
>
> Assuming we can count all 4 authors are in favor of making the change, I
> believe we have a tie (4:4) and therefore no consensus for making it (as of
> this point). However, we did identify issues with the section’s language and
> clarity which we should address either way.
>
>
>
> To clarify – I am not proposing we close this issue just yet.
>
>
>
> EHL
>
>
>
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
> Eran Hammer-Lahav
> Sent: Monday, August 15, 2011 9:35 AM
> To: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
>
>
> To demonstrate why making state required as proposed isn’t very helpful,
> here is an incomplete list of other requirements needed to make an effective
> CSRF:
>
>
>
> * State value must not be empty (a common bug in many implementations using
> simple value comparison).
>
>
>
> * ‘Non-guessable’ isn’t sufficient as most developers will simply use a hash
> of the session cookie, with or without salt which isn’t sufficient. We use
> “cannot be generated, modified, or guessed to produce valid values”
> elsewhere in the document, but this is much easier to get right for access
> tokens and refresh tokens than CSRF tokens which are often just some
> algorithm on top of the session cookie.
>
>
>
> * State CSRF value should be short-lived or based on a short-lived session
> cookie to prevent the use of a leaked state value in multiple attacks on the
> same user session once the leak is no longer viable.
>
>
>
> In addition, this is not what “state” was originally intended for. If the
> working group decides to mandate a CSRF parameter, it should probably be a
> new parameter with a more appropriate name (e.g. ‘csrf’). By forcing clients
> to use “state” for this purpose, developers will need to use dynamic queries
> for other state information which further reduces the security of the
> protocol (as the draft recommends not using dynamic callback query
> components). Encoding both CSRF tokens and other state information can be
> non-intuitive or complicated for some developers/platforms.
>
>
>
> EHL
>
>
>
>
>
>
>
>
>
> From: Eran Hammer-Lahav
> Sent: Friday, August 12, 2011 2:53 PM
> To: Anthony Nadalin; OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
>
>
> This is really just a flavor of CSRF attacks. I have no objections to better
> documenting it (though I feel the current text is already sufficient), but
> we can't realistically expect to identify and close every possible
> browser-based attack. A new one is invented every other week.
>
>
>
> The problem with this text is that developers who do no understand CSRF
> attacks are not likely to implement it correctly with this information.
> Those who understand it do not need the extra verbiage which is more
> confusing than helpful.
>
>
>
> As for the new requirements, they are insufficient to actually accomplish
> what the authors propose without additional requirements on state local
> storage and verification to complete the flow. Also, the proposed text needs
> clarifications as noted below.
>
>
>
>
>
> From: Anthony Nadalin <tonynad@microsoft.com>
> Date: Fri, 12 Aug 2011 12:06:36 -0700
> To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
> Subject: [OAUTH-WG] Auth Code Swap Attack
>
>
>
>
>
>
>
> Recommended Changes to draft-ietf-oauth-v2
>
>
>
> In section 4, request options (e.g. 4.1.1) featuring "state" should change
> from:
>
>
>
> state
>
> OPTIONAL. An opaque value used by the client to maintain state between the
> request and callback. The authorization server includes this value when
> redirecting the user-agent back to the client.
>
>
>
> to:
>
>
>
> state
>
> REQUIRED. An opaque value used by the client to maintain state between the
> request and callback. The authorization server includes this value when
> redirecting the user-agent back to the client. The encoded value SHOULD
> enable the client application to determine the user-context that was active
> at the time of the  request (see section 10.12). The value MUST NOT be
> guessable or predictable, and MUST be kept confidential.
>
>
>
>
>
> Making the parameter required without making its usage required (I.e. "value
> SHOULD enable") accomplishes nothing. Also, what does "MUST be kept
> confidential" mean? Confidential from what? Why specify an "encoded value"?
>
>
>
>
>
> Section 10.12 Cross-Site Request Forgery
>
>
>
> Change to:
>
>
>
> Cross-site request forgery (CSRF) is a web-based attack whereby HTTP
> requests are transmitted from the user-agent of an end-user the server
> trusts or has authenticated. CSRF attacks enable the attacker to intermix
> the attacker's security context with that of the resource owner resulting in
> a compromise of either the resource server or of the client application
> itself. In the OAuth context, such attacks allow an attacker to inject their
> own authorization code or access token into a client, which can result in
> the client using an access token associated with the attacker's account
> rather than the victim's. Depending on the nature of the client and the
> protected resources, this can have undesirable and damaging effects.
>
> In order to prevent such attacks, the client application MUST encode a
> non-guessable, confidential end-user artifact and submit as the "state"
> parameter to authorization and access token requests to the authorization
> server. The client MUST keep the state value in a location accessible only
> by the client or the user-agent (i.e., protected by same-origin policy), for
> example, using a DOM variable, HTTP cookie, or HTML5 client-side storage.
>
> The authorization server includes the value of the "state" parameter when
> redirecting the user-agent back to the client. Upon receiving a redirect,
> the client application MUST confirm that returned value of "state"
> corresponds to the state value of the user-agent's user session. If the
> end-user session represents an authenticated user-identity, the client MUST
> ensure that the user-identity has NOT changed.
>
>
>
>
>
> The above text uses 'user-context' and this 'user-identity'. Neither term is
> defined.
>
>
>
> EHL
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email