IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

"William J. Mills" <wmills@yahoo-inc.com> Sat, 13 August 2011 16:21 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 700F621F876A for <oauth@ietfa.amsl.com>; Sat, 13 Aug 2011 09:21:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.211
X-Spam-Level:
X-Spam-Status: No, score=-17.211 tagged_above=-999 required=5 tests=[AWL=0.387, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9chVngnDRfU5 for <oauth@ietfa.amsl.com>; Sat, 13 Aug 2011 09:21:32 -0700 (PDT)
Received: from nm33-vm6.bullet.mail.bf1.yahoo.com (nm33-vm6.bullet.mail.bf1.yahoo.com [72.30.239.206]) by ietfa.amsl.com (Postfix) with SMTP id D4E1B21F8752 for <oauth@ietf.org>; Sat, 13 Aug 2011 09:21:31 -0700 (PDT)
Received: from [98.139.212.147] by nm33.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2011 16:22:08 -0000
Received: from [98.139.212.219] by tm4.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2011 16:22:08 -0000
Received: from [127.0.0.1] by omp1028.mail.bf1.yahoo.com with NNFMP; 13 Aug 2011 16:22:08 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 333905.87237.bm@omp1028.mail.bf1.yahoo.com
Received: (qmail 5492 invoked by uid 60001); 13 Aug 2011 16:22:07 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313252527; bh=wDOBwYYXcfQC9gRr4XiGR9p621SJv8gH3+AsLHSJZAk=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=i0jJgFKEgDl8j3tF0/Y9APal8uTcmGQvZC4O9tdQ4H2ZCR3qEbB16SipsTGImSNmkTPlA6QbxeS181sF5xC3Psw3spZnADs9b6b6MiMKa9uOky/+hKpsNJnkQoHBttZiWNBdYIZ5fqVKlp1N+rymUqU+At5FaUfBJyROt8QpeRQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=UKJaQkDHtqzKDNxIn2aJOX1hSl0ZdfyHDqV6hdDYYsX3ToK+fIlQQvf5QQtajtbhpmv9nf6dxOOav5LxEgT8UHs/XB1aVZWi0cSEz4pXfX5T1Hl+UMR0S/a6CxQwxJZFsByCoBXD4nCyF4ONYFW/SEZn6dHYgyhmLKDUTKpvbqg=;
X-YMail-OSG: PGHF4PIVM1nhF8uwlE4_oGpIifoYlCasHv51KAOqKvxqlqu xQlWnHehE0anbOHrVW6ZOmXkE4jVImI1Aa3Pe9T_woaI.3vUkfierq8f7yUt k5g5Q6BBqUcaShxDhPlnsk25fmkNB08dYtcIfGA7lLOTU.wdZdCMY59VMlFm UdHGI_57Jkrsm4USnmSvfPtMyldtIiGvdBfbjTrgtKyv25w0POGgLhiAqj9. fJ7y17m9tuowF.xMgs_L7ET0WLEljD0x4wTGq3V6x4i9Q0Mi7R36HZJfPlIq ajkuiokaXZmyczS6l7K2vwi3lak0BA1POohnr1yJ9Grvg6TiXhN8gqh6dupb uzuF8KsaA52tUlx6dBMLmEQ8tnfuuX0tU4NWHL6Ki4.N6PyT5YY6a2EpUEa2 0s4lb6fg975NBCgl71IYC3K7JMneHDLY_91To5BdsEYlWnjyNJ1wAPuNl4SE JWJ0pUyPUaeVGNkYxu194_Z7GOp0wOSxffxUAoQJNI4bUC1kHHD92ixbnl1s 95fWEs1PBM9WIe57YwBz5miZOMMEaSq.gPumVmtuNT7cRcxXBMi1.aB4y_TC VKI61SuCDLHZQtP70CvO_AUgpJIPfjglVMrXPQsz9wIGQmFPQ0yZe
Received: from [209.131.62.115] by web31807.mail.mud.yahoo.com via HTTP; Sat, 13 Aug 2011 09:22:07 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <6192E34E-57B1-4A84-B157-228258C4207B@oracle.com> <CA6BD818.17E81%eran@hueniverse.com>
Message-ID: <1313252527.98143.YahooMailNeo@web31807.mail.mud.yahoo.com>
Date: Sat, 13 Aug 2011 09:22:07 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Phil Hunt <phil.hunt@oracle.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CA6BD818.17E81%eran@hueniverse.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1541028779-1313252527=:98143"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2011 16:21:33 -0000

All CSRF attacks are a against the client (confused deputy) yes.  The defense is always in the server side.  I agree that it's really worth covering.  There are already good discussions of CSRF out there which I think we shoudl lean on rather than re-writing our own, i.e. http://www.rfc-editor.org/rfc/rfc6265.txt

-bill



________________________________
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Phil Hunt <phil.hunt@oracle.com>; Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Sent: Saturday, August 13, 2011 7:30 AM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack


All OAuth CSRF attacks are on the client.

EHL
From:  Phil Hunt <phil.hunt@oracle.com>
Date:  Sat, 13 Aug 2011 00:21:50 -0700
To:  Torsten Lodderstedt <torsten@lodderstedt.net>
Cc:  Eran Hammer-lahav <eran@hueniverse.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject:  Re: [OAUTH-WG] Auth Code Swap Attack


+1 (to putting more detail in the Threat Model document)
>
>
>Yes, this is another CSRF attack (hence the change to 10.2). 
>
>
>What is *new* is this is an attack on the client application rather than the resource server. As such, I agree this new attack vector is well deserving of wider review and discussion before finalizing the draft.
>
>
>Phil
>
>
>@independentid
>www.independentid.comphil.hunt@oracle.com
>
>
>
>
>
>
>On 2011-08-12, at 11:58 PM, Torsten Lodderstedt wrote:
>
>
>>
>>Am 12.08.2011 23:52, schrieb Eran Hammer-Lahav: 
>>This is really just a flavor of CSRF attacks. I have no objections to better documenting it (though I feel the current text is already sufficient), but we can't realistically expect to identify and close every possible browser-based attack. A new one is invented every other week.
>>>
>>>
>>>The problem with this text is that developers who do no understand CSRF attacks are not likely to implement it correctly with this information. Those who understand it do not need the extra verbiage which is more confusing than helpful.
>>We are constantly facing the fact that a comprehensive description
    of security threats needs more space than we have in the core draft.
    That's the reason why the security document has 63 pages and that's
    also the reason why we decided to let the core spec refer to this
    document for in-depth explanations. This holds true for this threat
    as well.
>>
>>regards,
>>Torsten. 
>>
>>
>>
>>>
>>>As for the new requirements, they are insufficient to actually accomplish what the authors propose without additional requirements on state local storage and verification to complete the flow. Also, the proposed text needs clarifications as noted below.
>>>
>>>
>>>
>>>From:  Anthony Nadalin <tonynad@microsoft.com>
>>>Date:  Fri, 12 Aug 2011 12:06:36 -0700
>>>To:  "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
>>>Subject:  [OAUTH-WG] Auth Code Swap Attack
>>>
>>>
>>> 
>>>
>>>
>>>
>>>Recommended Changes to draft-ietf-oauth-v2
>>>> 
>>>>In section 4, request options (e.g. 4.1.1) featuring "state" should change from:
>>>> 
>>>>state
>>>>OPTIONAL. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.
>>>> 
>>>>to:
>>>> 
>>>>state
>>>>REQUIRED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The encoded value SHOULD enable the client application to determine the user-context that was active at the time of the  request (see section 10.12). The value MUST NOT be guessable or predictable, and MUST be kept confidential.
>>>>  
>>>
>>>
>>>Making the parameter required without making its usage required (I.e. "value SHOULD enable") accomplishes nothing. Also, what does "MUST be kept confidential" mean? Confidential from what? Why specify an "encoded value"?
>>>
>>>
>>>
>>>Section 10.12 Cross-Site Request Forgery
>>>> 
>>>>Change to:
>>>> 
>>>>Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from the user-agent of an end-user the server trusts or has authenticated. CSRF attacks enable the attacker to intermix the attacker's security context with that of the resource owner resulting in a compromise of either the resource server or of the client application itself. In the OAuth context, such attacks allow an attacker to inject their own                    authorization code or access token into a client, which can result in the client using an access token associated with the attacker's account rather than the victim's. Depending on the nature of the client and the protected resources, this can have undesirable and damaging effects.
>>>>
>>>>In order to prevent such attacks, the client
                    application MUST encode a non-guessable,
                    confidential end-user artifact and submit as the
                    "state" parameter to authorization and access token
                    requests to the authorization server. The client
                    MUST keep the state value in a location accessible                    only by the client or the user-agent (i.e.,
                    protected by same-origin policy), for example, using
                    a DOM variable, HTTP cookie, or HTML5 client-side
                    storage.
>>>>
>>>>The authorization server includes the value of the
                    "state" parameter when redirecting the user-agent
                    back to the client. Upon receiving a redirect, the                    client application MUST confirm that returned value
                    of "state" corresponds to the state value of the
                    user-agent's user session. If the end-user session
                    represents an authenticated user-identity, the
                    client MUST ensure that the user-identity has NOT
                    changed.
>>>>  
>>>
>>>
>>>The above text uses 'user-context' and this 'user-identity'. Neither term is defined.
>>>
>>>
>>>EHL
>>>
>>>
>>>_______________________________________________
OAuth mailing list OAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>>
> 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email