IETF Logo Mail Archive

Re: [OAUTH-WG] Caution about open redirectors using the state parameter

George Fletcher <gffletch@aol.com> Tue, 21 April 2020 19:28 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0B93A0872 for <oauth@ietfa.amsl.com>; Tue, 21 Apr 2020 12:28:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.517
X-Spam-Level:
X-Spam-Status: No, score=-1.517 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.82, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0h5KxJDxmNk for <oauth@ietfa.amsl.com>; Tue, 21 Apr 2020 12:28:06 -0700 (PDT)
Received: from sonic309-21.consmr.mail.ne1.yahoo.com (sonic309-21.consmr.mail.ne1.yahoo.com [66.163.184.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1521A3A0867 for <oauth@ietf.org>; Tue, 21 Apr 2020 12:28:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1587497285; bh=59ZBpVoG2pzYvdBERJK0ONBZqh17HVPMdvBKf5qLi9I=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=RfaAPnGOqUGjbtq5qcK6qQQW1JN5LLN9D6jGdvXh98py4nS5uQfjz6cW/4nmqEaf7EuXgQ0BYmQiQBpEZ5N1kLMw6wewx0ylDT/40DB+g1BHbD7sooq2fe47M3D0dI0ogE8DlzBDkj/CXiUa0FbAtFm4IcQ4laVD8xejQ70z6PbodgYdo57Avy2ej71W7nCFKY6Mf5HRLcYm+eCAbGpuoCyRZstZAvr+gNCE/yjW0YhXfboUqGOrjAxhWSI7b12SaBmxDLb6O2ImwVw20mVqq3713xSONth7Li4mtXkqKJz0tYxtY7Oha31y9wTozF+jqE+SSa3b84vYL4Ni3qj+mw==
X-YMail-OSG: bj2x78YVM1nVnYpiD9PaW9MHO7DtXMR.oBCuOhY3DoyjJJz0PBSGEeQ7KJjlRHg DAcgRCeEXbI.fvkhaAWGarB7SlVOhalyvUG2gKaImPnE.ImP2wU4H37CwIY62Y4JVBTuj7ofwaLr JcZfbx2CSWRN66DQKOfVa3AFwahUnVCU6cV8o0W.thCYNWG9uzU0vOCdT7lsFi0PR2lX7p5Bdkue Pnmc3FM.xoUjlwkirBQTu4OZ8lTunHPRwyDfAYaUwnDmyxMxBqBwLYuZjqJpvtGW3jzRQiZEFaqL wjWp.kvfBbXINi5kfPTU7Ep5d9LLA8ZKF5X7wNsjCx._Lk9cX4jcDRa9prbYEZTfbnUOS1YCt3nn MaiHgV01Ea.K4D97qH_D9kxIYRblW0P1uqtnJpv1lGcIFQeOA5kjnSM8D89KmHAzb_CNbONx7FC. _LLPYZSVjpxXNestmWirdtVlB8RYRRxwNQeVEfBRGH8mRapCOwIYFLgh91VgFFh021tEt0XYaF98 WzCvOjK1GQccrgMIq_pPpl24ar4kr92.DKSjYV0SzKQK5kN_UrUpnthwM.2Sx7hNIYi1fzH05rQW lZfHvSdixdciPIt.TwIy5CNv4bwP0BF6oNeABJ3wovixZU8J7WBaammeXrUTtjHVcB31PhdTtfbW ATfqPMrHVtcu3LSpg1XxMzHPS5O4raBxbfJmWdLf4GEy18iOXLSJeWwyw2gyL9H1KPpRYHUH2WeO jIrPG5ZEUNPzrdypKo1cP.U2tOJrxakhR4WR7HT.Iiz_vVIqwlXXURQv.g8ioNXKukXlf4uY7QrL X7YqNqD5hXPDsDL0VA82.eHeduw0rr41F8jtuS8m_pPgOuC7v2fAr4.YZU7aSMwG0Qa0IlTsukNI nNlHnaFEz86tmlvJMU4CUHic4dAzTJJjzK036i.beD.nRSpdlmIP9YzAlY7yu_u7BcRjK4T0v91r YPZi.EYoYcjnS9rWwB21wdSa4et5zIYqHgFcLhzvti7So7RkYyaVZUGswNmI0.P81I8uBcaKbH2p G3SA1N8OvLtYYf1ftsGl6ATc2Ime3DRzB5EiL2FjnWPfwMstm7R8dABfuvoDUldPFrjVxr4RGkP1 JImXD9mizkGHddjrIdHivLzMKgqXAfNQ8GWj7cyJ4IL9STH45MF1R22y1IMEsgiI9LIsP.IAaVIh zJFlEzwIbEzu58BbGuaaIjSvgDoIikTze_24tIBZi.wkJlzN9OK6lKCS9iL0.UP1AmAqPzZAbQNw 3q.qWSdrFUfYT1TSLn8ok40fACps7etipCpe.rnaxYscx6ngJ32pj8TWMhrIUidXCVmVj.9AFXzb gi4cyLMiZmeoZA4yZoH4DsuhMwtVuWGKpsZ_EhzoK8WJcihSgX7pn0PTDjkcg
Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Tue, 21 Apr 2020 19:28:05 +0000
Received: by smtp412.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 62c3b0f783352aaa260f669c7511034e; Tue, 21 Apr 2020 19:28:01 +0000 (UTC)
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
References: <CH2PR00MB0678578C4FDBDCD7D5EA8AFBF5D40@CH2PR00MB0678.namprd00.prod.outlook.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <8ef6dfa2-a3b0-3908-ac7d-b496908d07e1@aol.com>
Date: Tue, 21 Apr 2020 15:27:57 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CH2PR00MB0678578C4FDBDCD7D5EA8AFBF5D40@CH2PR00MB0678.namprd00.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------8B2959EDC9A44DCF98E37107"
Content-Language: en-US
X-Mailer: WebService/1.1.15739 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mQ8G_-F2-xrhefL-bEMuoaT61HM>
Subject: Re: [OAUTH-WG] Caution about open redirectors using the state parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 19:28:08 -0000

+1

However, we should be careful how we prohibit it... because if the state 
value is actually signed, having the URL there isn't a problem as the 
attacker can not manipulate the value without breaking the signature.

On 4/20/20 5:28 PM, Mike Jones wrote:
> I've seen several circumstances where "clever" clients implement an open redirector by encoding a URL to redirect to in the state parameter value.  Attackers can then utilize this open redirector by choosing a state value.
>
> Can we please add an explicit prohibition of this practice in draft-ietf-oauth-security-topics?
>
>                                                         Thanks,
>                                                         -- Mike
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email