Re: [OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
John Bradley <ve7jtb@ve7jtb.com> Fri, 10 April 2015 23:08 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 710471B2E35 for <oauth@ietfa.amsl.com>; Fri, 10 Apr 2015 16:08:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJcJGPrdXrgF for <oauth@ietfa.amsl.com>; Fri, 10 Apr 2015 16:08:26 -0700 (PDT)
Received: from mail-pa0-f45.google.com (mail-pa0-f45.google.com [209.85.220.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A32961A906B for <oauth@ietf.org>; Fri, 10 Apr 2015 16:08:26 -0700 (PDT)
Received: by paboj16 with SMTP id oj16so35335173pab.0 for <oauth@ietf.org>; Fri, 10 Apr 2015 16:08:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lpb7PdH0xwWOKdvk645Qeay7QLBQkIog849ha8DJ6oY=; b=mdOyuA8yeeXxJd0T5MW4e+ObK/7N8oTW1ry1uXBvgyxIrj8BFsIJ3T9rGh9NzeV2CF NUsk/dXmXfGyt6iQOIq75fM8tMuXMUp/m18eoEqo9rKWavcS4sX06rrBohNCaSZaRchj aVpVdAScAh0MWh//uqulNSGDIpisYVAtO19VadHldZsZubkThFrkmsHTyJxqWIHjOyB3 wzJSM/0B17+jyJpN+2vZNpv5AHa+LalOEX0+WahnE/bEBz7tNxk42bGzrS6AjZCCn7vC F50W9KTqReRdU+UA2Val3rrtmpTM9AoPnzSWtg8rE/sRZRelPBFz/yoqn1qD63Q25f1K f/1g==
X-Gm-Message-State: ALoCoQnYhZz97uRkkxSgV/H0T/yUfMfYwNGV8kd1KWAq6If+oiT1066/i/KYktT+muFgBZ1QW2vM
X-Received: by 10.68.65.75 with SMTP id v11mr1403596pbs.91.1428707306078; Fri, 10 Apr 2015 16:08:26 -0700 (PDT)
Received: from [192.168.5.97] ([12.207.17.3]) by mx.google.com with ESMTPSA id ic7sm101141pbc.70.2015.04.10.16.08.24 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 10 Apr 2015 16:08:24 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_0F615331-92BC-463E-A774-5D341C7656B1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAAJG_r9yM0okfWyVm0vMSXrrPJigmGWDoF3VeW8X1f=4Xso_Fg@mail.gmail.com>
Date: Fri, 10 Apr 2015 16:08:21 -0700
Message-Id: <A50AE169-85A3-46DE-AA24-8810B36970EA@ve7jtb.com>
References: <CAAJG_r9yM0okfWyVm0vMSXrrPJigmGWDoF3VeW8X1f=4Xso_Fg@mail.gmail.com>
To: isciurus <isciurus@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/_GnOZtVkLHkD8OQI2lqCTl5ccEM>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 23:08:29 -0000
Thanks, I have tried to document the response headers that can help stop leaking referrer. Being able to do the same thing to stop fragment leaking would be a good thing. If the W3C adds that then I would add it to our recommendations. In the Interim without browser support we may need to look at other methods to pass tokens to clients in the browser. I am certainly interested in tracking your proposal. John B. > On Apr 10, 2015, at 4:00 PM, isciurus <isciurus@gmail.com> wrote: > > Hi, > > One of the recent drafts https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.html <https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.html> was brought to my attention. Regarding the part "2.2. Security Compromise: The Authorization Server As Open Redirector": > > The legitimate OAuth Authorization response will include an access token in the URI fragment. > Most web browsers will append the fragment to the URI sent in the location header of a 302 response if no fragment is included in the location URI. > > This browser behaviour with a url fragment reattaching is indeed used widely in attacks on OAuth (for example, one of the recent on the bitcoin exchange http://sakurity.com/blog/2015/01/10/hacking-bitcoin-exchanger.html <http://sakurity.com/blog/2015/01/10/hacking-bitcoin-exchanger.html>) and I am also aware of one attack on OpenID 2 implementation leaking a valid signature using the same technique. > We are trying to propose a browser-level protection from sensitive url fragment data reattach on cross-domain redirects: http://lists.w3.org/Archives/Public/ietf-http-wg/2015JanMar/0066.html <http://lists.w3.org/Archives/Public/ietf-http-wg/2015JanMar/0066.html> > A new header in the AS response would also block fragment reattach in the following scenario: > > https://AUTHORIZATION_SERVER/authorize?response_type=token <https://authorization_server/authorize?response_type=token> > &client_id=good-client&scope=VALID_SCOPE > &redirect_uri=https%3A%2F%2AUTHORIZATION_SERVER%Fauthorize > %3Fresponse_type%3Dcode > %26client_id%3Dattacker-client-id > %26scope%3DINVALID_SCOPE > %26redirect_uri%3Dhttps%253A%252F%252Fattacker.com > > But it would additionally block exploitation of vulnerable clients which have open redirects on their domains and don't whitelist their redirect_uri: > > https://AUTHORIZATION_SERVER/authorize?response_type=token <https://authorization_server/authorize?response_type=token> > &client_id=good-client&scope=VALID_SCOPE > &redirect_uri=https%3A%2F%2good-client.com <http://2good-client.com/>%Fopen_redirect > %3Furl%3Dhttps%253A%252F%252Fattacker.com > > This can improve the situation with already deployed clients in large scale. Let me know if this proposal is interesting to the OAuth WG. > > Thanks, > Andrey > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth