Re: [OAUTH-WG] Caution about open redirectors using the state parameter

Neil Madden <neil.madden@forgerock.com> Tue, 21 April 2020 21:35 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 848DA3A0AD3 for <oauth@ietfa.amsl.com>; Tue, 21 Apr 2020 14:35:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8d1O4d09gzJb for <oauth@ietfa.amsl.com>; Tue, 21 Apr 2020 14:35:23 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F0EB3A0AC9 for <oauth@ietf.org>; Tue, 21 Apr 2020 14:35:22 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id u16so5186485wmc.5 for <oauth@ietf.org>; Tue, 21 Apr 2020 14:35:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=cuhRNnxPkA04g8SgNTYSGVff8qUMCMvcTS085W0u8nU=; b=KDPKBFtnVJEC3HOGsK/QT107MGE0JMx0Dfj67frCOpGbr9ezOKUfThCZT0IXhIdQPP D55TMglv3WRA2blMte/zCXDfPHPIU/Jzp03L7IVevKY4yHsh+2nLfAOWEIfyMNVnLGWM rWVBB6kGDgavuXiBPHqSYlmjalht48tWWt6/s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=cuhRNnxPkA04g8SgNTYSGVff8qUMCMvcTS085W0u8nU=; b=ewjRNX8QujCgNLEAmRr9qJBNhkEdjmdVxDNAnZ+30rhDtmN2TxltnQK2KcS/fGcguh vn42bB9DM2zFcsGVR6e2KMIn4+OrvhhKdykuhH/2Szrtlt4lu9uSCkuK/FgFjtZjkW4K SYZ24QtAM6Ru/TYKBJUT+2scqZQGthoQ5lsiPNj/VXKchsV4ZdpxsttH5T3WqOww0lYY I3bdh/SmfS1VUVvzaIC5wQZtXarcB6MWnfyAy3WigpP7XvWDCCBqIsD32Fjb0/26CYdU g25O6Xv8IF1h+0ppHiD7EsanIHytBOqZuAgymxtwImxrF7MINXFKBQ4x157DYfXsOtJf smfQ==
X-Gm-Message-State: AGi0PuZe+1rGBL8FOUWg0uPbCv3suaKNPc2Eq0QcNlp7mKmNV6LTp06Q e9UYipKOUM37uS+7WMxu2mB6zYPgYzfo3RdiCuIZ7wxrDx2m4UsAscJ6OjUoIojv8zw2RZqG7Yo mktPRh6CJK9UM6+kL0vUszEdoVf3m2zZ3UWHZAz9tm09Dl1EdOMYoxzFi/NhPJz8=
X-Google-Smtp-Source: APiQypKsWl5x4JPr1rTRlDDx22y+m7CTvOfnu0lwnVnR5uprI4kLTrupZHGPRSljaGH+9bQtaItjiQ==
X-Received: by 2002:a1c:5502:: with SMTP id j2mr7417095wmb.56.1587504921125; Tue, 21 Apr 2020 14:35:21 -0700 (PDT)
Received: from [10.0.0.3] (193.207.159.143.dyn.plus.net. [143.159.207.193]) by smtp.gmail.com with ESMTPSA id a20sm5663953wra.26.2020.04.21.14.35.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 Apr 2020 14:35:20 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-768CBC63-9179-402C-8B95-086B5C91546D
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 21 Apr 2020 22:35:18 +0100
Message-Id: <39FB95F6-4542-4DA3-9F5A-7D64FDF507DD@forgerock.com>
References: <8ef6dfa2-a3b0-3908-ac7d-b496908d07e1@aol.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <8ef6dfa2-a3b0-3908-ac7d-b496908d07e1@aol.com>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (17D50)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mEf-skrsIzF4EkfGP7A-4RC33Aw>
Subject: Re: [OAUTH-WG] Caution about open redirectors using the state parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 21:35:26 -0000

I think the correct defence is to validate the URL (eg check against a whitelist) at the point you are going to redirect to it after the OAuth flow completes, rather than before you begin the OAuth flow. 

But this feels like generic web app security advice rather than anything specific to OAuth - always validate URLs before performing a redirect.

Neil

> On 21 Apr 2020, at 20:28, George Fletcher <gffletch=40aol.com@dmarc.ietf.org> wrote:
> 
>  +1
> 
> However, we should be careful how we prohibit it... because if the state value is actually signed, having the URL there isn't a problem as the attacker can not manipulate the value without breaking the signature.
> 
>> On 4/20/20 5:28 PM, Mike Jones wrote:
>> I've seen several circumstances where "clever" clients implement an open redirector by encoding a URL to redirect to in the state parameter value.  Attackers can then utilize this open redirector by choosing a state value.
>> 
>> Can we please add an explicit prohibition of this practice in draft-ietf-oauth-security-topics?
>> 
>>                                                        Thanks,
>>                                                        -- Mike
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth