[OAUTH-WG] Open redirector feedback (Yaron Goland)
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 16 August 2011 21:45 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3CDE11E8103 for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 14:45:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.554
X-Spam-Level:
X-Spam-Status: No, score=-2.554 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fq3L9oVjPi7y for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 14:45:30 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id BFE4311E8101 for <oauth@ietf.org>; Tue, 16 Aug 2011 14:45:27 -0700 (PDT)
Received: (qmail 16469 invoked from network); 16 Aug 2011 21:46:17 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 16 Aug 2011 21:46:17 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 16 Aug 2011 14:46:02 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Tue, 16 Aug 2011 14:44:47 -0700
Thread-Topic: Open redirector feedback (Yaron Goland)
Thread-Index: AcxcXZWPNliGpm+dSi2eHbYp4Bn6aA==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234502498D202@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234502498D202P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Open redirector feedback (Yaron Goland)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2011 21:45:31 -0000
Moved here to help discuss. > 3.1.2.4. Invalid Endpoint: Comment on "open redirector": "How many people > even know what the heck an open redirector is? I think we need a section in > the security considerations section that defines what an open redirector is > and why it's bad. Alternatively a normative reference to a complete > definition somewhere else is also fine." Added new section and reference to it: 10.15. Open Redirectors The authorization server authorization endpoint and the client redirection endpoint can be improperly configured and operate as open redirectors. An open redirector is an endpoint using a parameter to automatically redirect a user-agent to the location specified by the parameter value without any validation. Open redirectors can be used in phishing attacks to get end-users to visit malicious sites by making the URI's authority look like a familiar and trusted destination. In addition, if the authorization server allows the client to register only part of the redirection URI, an attacker can use an open redirector operated by the client to construct a redirection URI that will pass the authorization server validation but will send the authorization code or access token to an endpoint under the control of the attacker.
- [OAUTH-WG] Open redirector feedback (Yaron Goland) Eran Hammer-Lahav
- Re: [OAUTH-WG] Open redirector feedback (Yaron Go… William J. Mills
- Re: [OAUTH-WG] Open redirector feedback (Yaron Go… Eran Hammer-Lahav