Re: [OAUTH-WG] DPoP: Threat Model
Philippe De Ryck <philippe@pragmaticwebsecurity.com> Mon, 04 May 2020 19:48 UTC
Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B00D3A0FA5 for <oauth@ietfa.amsl.com>; Mon, 4 May 2020 12:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b=KRmiEg/U; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nHydzCN/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMGuEmWxF1uC for <oauth@ietfa.amsl.com>; Mon, 4 May 2020 12:48:53 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 453273A0FA6 for <oauth@ietf.org>; Mon, 4 May 2020 12:48:53 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id A28E8497; Mon, 4 May 2020 15:48:51 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Mon, 04 May 2020 15:48:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=from:message-id:content-type :mime-version:subject:date:in-reply-to:cc:to:references; s=fm3; bh=pis63t9nEg408oCyTnV9i0DMupxv8n10vbuCH0u12vg=; b=KRmiEg/UvX3b IKq+H1PRaKK5jX5I+r0VxcJMZyErhoyEFUIT9NP4XZhoZTjqpv85ZoZuryILn8Zx itrS0PPLHlVo+bAOIrAVY/rmxfuhcja6k8QGgzl8UVqAh0/N3rvdTi7NW72Ljoc+ M7YA5J44utlJfLSudBKFLPiWaWnrc0LMTwVmM37NvGMiUVnKO5dY9EBdLnLrU5NC PF32nRsRjGTPWSesT88PapqgaAgFTiwtcpJ2yGACizHaPtZJxILqHfrVPdH9oneY HmwrDlmSIDiOw6a/IHXTT3ce+hhLIKpqK+itwwfm0XFVGLYtaahJZLP2zqwU5hcW InBlE3GRfg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=pis63t 9nEg408oCyTnV9i0DMupxv8n10vbuCH0u12vg=; b=nHydzCN/NyCOaZQnPK5eIn 00DT2gVpMEGapvESAp1Ea/5aitqx1GGXkHbQydbI1+NyTlHM49z+4ZBmxdW6U62F mIJ11tiLpQ6Pp0hTW2KQgJEYUy7kphu41ipC+svVuZ6ZBy+0ilfVa35d4lBG7WeJ zJyGjdrrofE9RP7MdibNx/aKmdOxluv30wvrVNGR9v75Z0TtrK9AYGFfCLj1jTIx 219l1GoOGASVfPD5rOslyoA5tPj85APZIvaBrM9tPuvMfFEbGvEWQ/Vi34c8dzBV Pd4GE0nLUJRsHgmVLvXu6j8LymoHK1wnPm/6pywBm4q535Nal/0QFx27XWRODAiA ==
X-ME-Sender: <xms:onGwXr5Jbxxx5go9uf8yZU2M-j7hz78dOcYPe-JRaR6TPKy6cHvg4w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeeggddufeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffktgggufffjgfvfhfosegrtdhmrehhtdejnecuhfhrohhmpefrhhhilhhi phhpvgcuffgvucfthigtkhcuoehphhhilhhiphhpvgesphhrrghgmhgrthhitgifvggssh gvtghurhhithihrdgtohhmqeenucggtffrrghtthgvrhhnpefghfeljeegffffieevieel hfekieetleduueelteejheffgeelueeuvdeugffhteenucffohhmrghinhepsggvvghfph hrohhjvggtthdrtghomhenucfkphepleegrddvvdehrdehrdduiedvnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpphgvsehprh grghhmrghtihgtfigvsghsvggtuhhrihhthidrtghomh
X-ME-Proxy: <xmx:onGwXp1zx9r2_3dEFCREimJ25NnI0Xc6fYHHgrXdUaQBklqaOPDGcw> <xmx:onGwXuCPwGkgadCSgeQS5YLtTRVQcGIVhZtG9W7iCcSgCT8Ii7ukxQ> <xmx:onGwXsPDMeJwMAHKv0iLzSYAL13DwL1ojy-tLkHq0vvF6ZFuRMJOYA> <xmx:o3GwXnDdXztzhDCb5RXTX3-wGKJJvSJ2AFJto1iBtNrerUDEbUmPEg>
Received: from imacvanphilippe.localdomain (94-225-5-162.access.telenet.be [94.225.5.162]) by mail.messagingengine.com (Postfix) with ESMTPA id F35A13066029; Mon, 4 May 2020 15:48:49 -0400 (EDT)
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Message-Id: <BC97146B-12F1-4F45-9D54-738A67DF3457@pragmaticwebsecurity.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_15C73CFF-5FDF-4CA7-A298-363C934DAD07"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 04 May 2020 21:48:49 +0200
In-Reply-To: <fc4a020e-97e8-6074-c80a-dc88e88d879b@danielfett.de>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth@ietf.org
To: Daniel Fett <fett@danielfett.de>
References: <9ee75fc4-c134-1a36-1fa3-4c42887dc438@danielfett.de> <1427A993-02B5-4444-9FD5-0E62A32D2AF4@forgerock.com> <b5645470-67db-c18d-28b8-2cf4df06a03d@danielfett.de> <F0001BCC-29D5-4525-89CE-0BEF0E835333@pragmaticwebsecurity.com> <fc4a020e-97e8-6074-c80a-dc88e88d879b@danielfett.de>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hUwG_kGIGdDgFqnJkfqJ5wCYPJI>
Subject: Re: [OAUTH-WG] DPoP: Threat Model
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 19:48:55 -0000
On 4 May 2020, at 21:44, Daniel Fett <fett@danielfett.de> wrote: > > Am 04.05.20 um 21:27 schrieb Philippe De Ryck: >> >>>> (https://beefproject.com <https://beefproject.com/>) rather than exfiltrating tokens/proofs. >>> As a sidenote: BeEF is not really XSS but requires a full browser compromise. >>> >> >> No, it’s not. The hook for BeEF is a single JS file, containing a wide variety of attack payloads that can be launched from the command and control center. You can combine BeEF with Metasploit to leverage an XSS to exploit browser vulnerabilities and break out. > I shall stand corrected! >> >> Just keep in mind that once an attacker has an XSS foothold, it is extremely hard to prevent abuse. The only barrier that cannot be broken (in a secure browser) is the Same Origin Policy. Keeping tokens and metadata in a separate environment (e.g., iframe, worker, …) is effective to keep them out of reach. However, once the app “extracts” data from such a context, the same problem arises. > Compartmentalization within an origin is as old a problem as it is mostly unsolved, indeed. That is why I would not further differentiate in case the browser is online and the client's script is compromised, but instead assume that the attacker can then forge arbitrary requests using the token. > I agree on that assumption. The moment malicious script executes, it’s game over, regardless of the specifics on whether a token can be extracted or not. Even with isolation, an attacker would be able to trick the isolated context in making requests as a confused deputy. Philippe
- Re: [OAUTH-WG] DPoP: Threat Model Denis
- [OAUTH-WG] DPoP: Threat Model Daniel Fett
- Re: [OAUTH-WG] DPoP: Threat Model Neil Madden
- Re: [OAUTH-WG] DPoP: Threat Model Daniel Fett
- Re: [OAUTH-WG] DPoP: Threat Model Daniel Fett
- Re: [OAUTH-WG] DPoP: Threat Model Philippe De Ryck
- Re: [OAUTH-WG] DPoP: Threat Model Daniel Fett
- Re: [OAUTH-WG] DPoP: Threat Model Philippe De Ryck
- Re: [OAUTH-WG] DPoP: Threat Model Denis