Re: [OAUTH-WG] Another CSRF attack
Justin Richer <jricher@mit.edu> Thu, 05 May 2016 18:50 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C8112D0F6 for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 11:50:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.217
X-Spam-Level:
X-Spam-Status: No, score=-5.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P02JiSX25Y-p for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 11:50:33 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABB4612B017 for <oauth@ietf.org>; Thu, 5 May 2016 11:50:32 -0700 (PDT)
X-AuditID: 12074424-34fff70000005c1f-17-572b95f7b9e1
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id F3.9F.23583.7F59B275; Thu, 5 May 2016 14:50:31 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u45IoUwh011792; Thu, 5 May 2016 14:50:30 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u45IoRuU026537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 May 2016 14:50:28 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <572B551B.5030702@uni-trier.de>
Date: Thu, 05 May 2016 14:50:27 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <B0C4E1D9-9D91-426F-8950-C418BE1D0754@mit.edu>
References: <572B551B.5030702@uni-trier.de>
To: Daniel Fett <fett@uni-trier.de>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNIsWRmVeSWpSXmKPExsUixG6novt9qna4wbXTghY3/m5htnh1YRu7 xcwHV9gtTr59xebA4rFkyU8mj/VnjzN5PDn/kiWAOYrLJiU1J7MstUjfLoErY2L7TNaCaQIV j560MDcw/uTpYuTgkBAwkdgxV7KLkYtDSKCNSeLGr31sEM4GRomZG94zdzFyAjkPmCR+TrIE sZkF1CX+zLsEFucV0JPYtP4tE4gtLKAtsfLPdUYQm01AVWL6mhawOKeAjsTVpdvZQGwWARWJ c1/mM4MsYBaYxChxv+crO8RQbYllC19DDbWS2LV2EyPEYm2Jxw+mgcVFBJQlHkx6CBaXEJCV eHJyEcsERoFZSG6aheSmWUjGLmBkXsUom5JbpZubmJlTnJqsW5ycmJeXWqRrrpebWaKXmlK6 iREcxi4qOxi7e7wPMQpwMCrx8GbM1QoXYk0sK67MPcQoycGkJMq7XUk7XIgvKT+lMiOxOCO+ qDQntfgQowQHs5IIb+JkoBxvSmJlVWpRPkxKmoNFSZyXkYGBQUggPbEkNTs1tSC1CCYrw8Gh JMH7DqRRsCg1PbUiLTOnBCHNxMEJMpwHaLjSFJDhxQWJucWZ6RD5U4yKUuK8M0GaBUASGaV5 cL2gNJPw9rDpK0ZxoFeEeWeBtPMAUxRc9yugwUxAg9/P1QQZXJKIkJJqYCxadViic8XXVa84 ps6oLbV/PFM32CNLQ+Li+frif7WPGRPPWVz+6KVzqn9n4rfg7vibXxybFoeKBJt8ezY9PPyV edNDszhVPj7Fi0vrdR6JHU1Zcy0v3rvH4srH20uvuNxQz5y07G6vy3bGiss/EiYesF3RYvqi W0CZy/mo3tmfa/OfKrLwdSmxFGckGmoxFxUnAgC65/+hDgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ewblk5ozBgsGk80Eb8xDeXfZLI0>
Cc: Guido Schmitz <gschmitz@informatik.uni-trier.de>, "<oauth@ietf.org>" <oauth@ietf.org>, ralf Kuesters <kuesters@uni-trier.de>
Subject: Re: [OAUTH-WG] Another CSRF attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 18:50:37 -0000
I’ve not heard this attack spelled out like this, but I know that our client library was explicitly coded to prevent this by remembering the “issuer” of the outgoing request and tying that to the session and state value. — Justin > On May 5, 2016, at 10:13 AM, Daniel Fett <fett@uni-trier.de> wrote: > > We found another attack on session integrity (read: a CSRF attack). > > This attack breaks the session integrity for clients that allow the use > of multiple AS where one AS might be malicious. It only works for > clients that do not use a session or cookie to track which AS a user > wanted to use when starting the OAuth flow. (We assume that such > clients, in lack of other options, use different redirection URIs for > the different AS.) > > Let's call the malicious AS AIdP and the honest HIdP. > > The attack works as follows: When a user wants to authorize using AIdP, > AIdP redirects the user back to the redirection URI of HIdP at the > client. AIdP attaches to this redirection URI the state issued by the > client, and a authorization code or access token obtained from HIdP. The > client then believes that the user logged in at HIdP. Hence, the user is > logged in at the client using the attacker's identity at HIdP or the > client accesses the attacker's resources at HIdP believing that these > resources are owned by the user. > > This attack should also be applicable to OpenID Connect in all modes. > > The obvious fix here is that RP should track in a session or cookie > where the user wanted to log in. Using different redirection URIs is not > sufficient. > > Can anybody confirm this attack, and whether it was described before? > > Cheers, > Daniel, Guido, Ralf > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Another CSRF attack Daniel Fett
- Re: [OAUTH-WG] Another CSRF attack Justin Richer
- Re: [OAUTH-WG] Another CSRF attack Hans Zandbelt