IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter

Bob Van Zant <bob@veznat.com> Fri, 15 July 2011 15:48 UTC

Return-Path: <bigbadbob0@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC11321F89A3 for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 08:48:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.789
X-Spam-Level:
X-Spam-Status: No, score=-2.789 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DDIvsasFOgU6 for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 08:48:41 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id A43EF21F887C for <oauth@ietf.org>; Fri, 15 Jul 2011 08:48:41 -0700 (PDT)
Received: by qwc23 with SMTP id 23so936243qwc.31 for <oauth@ietf.org>; Fri, 15 Jul 2011 08:48:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=JCxbJW2fWCY854aVB4gBhcdKtSRvieLlKSe3JdKD+l0=; b=OzBb2/0ab3UAlic0M7q5cnR6NOd8irGypjqtwigLyKaOpMjKhFykAjqZxBQtGM2OrP s27OG/4zcAgBdemOiWI+am3KWJnjjodI/GSe/r7FdQE16YrEERUKiwZKX0/gry+fyQ3S ycxzXR0Kdbghr4Ygw2rWN7vzHNdISSF+DZuag=
MIME-Version: 1.0
Received: by 10.229.106.69 with SMTP id w5mr2866412qco.41.1310744920976; Fri, 15 Jul 2011 08:48:40 -0700 (PDT)
Sender: bigbadbob0@gmail.com
Received: by 10.229.100.136 with HTTP; Fri, 15 Jul 2011 08:48:40 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234501D6E020F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CADrOfLJSd8Z=QfCcGUdFBU314rmjv9-u25Vta+ObXfNAwoA06w@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234501D6E020F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Fri, 15 Jul 2011 08:48:40 -0700
X-Google-Sender-Auth: ZtMqrMEFMc1kcGprbjBeU0Iu27I
Message-ID: <CADrOfLLW9DxX=H2iJGUHAkMDRefB8BVtNt50oPRTTK+ZoEB7kg@mail.gmail.com>
From: Bob Van Zant <bob@veznat.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2011 15:48:46 -0000

It wasn't the length that I cared about very much. Other than I don't
want to have to accept someone's 1024 byte state value (it's a waste
of my resources).

Percent encoding doesn't help when the client un-percent encodes it
and puts it verbatim onto his website. An example: Perhaps the state
variable is supposed to be the resource owner's name. The attacker
creates a link to my API that is:

/oauth/authorize?client_id=xxx&response_type=code&state=percent_encoded(<script>badstuff</script>)

If the client simply puts "state" back onto some webpage, after
un-percent encoding it but without HTML encoding it, then we have a
vulnerability?

-Bob



On Fri, Jul 15, 2011 at 8:41 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> I don't see the problem. The state value is percent-encoded both ways, so the only way to inject a bad value there is by including a value that has special meaning to the client. Putting a character limit on it will not do anything to prevent that.
>
> The server should reject requests with query parameters that are not properly percent-encoded.
>
> EHL
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Bob Van Zant
>> Sent: Friday, July 15, 2011 8:35 AM
>> To: OAuth WG
>> Subject: [OAUTH-WG] OAuth v2-18 comment on "state" parameter
>>
>> Hi everyone,
>> I'm in the process of implementing OAuth and I'm a little concerned about
>> the "state" parameter that a client can send as part of the authorization
>> request. The spec says that the value is opaque and that I need to accept,
>> store, and reply with exactly what the client sent me. Can we impose some
>> restrictions on the type of data a client can send?
>>
>> The reason is that I don't necessarily trust the clients of my API to properly
>> deal with sanitizing data. If someone steals a client_id (not
>> hard) and puts something malicious into the state field I'll happily redirect the
>> resource owner to my client's site with malicious data in state. If the client
>> does not properly handle this malicious data (there's an established track
>> record here) then I've opened my customer (the resource owner) to an
>> attack.
>>
>> Did I miss something in the spec where it limits what this variable can be? If
>> not I'd like to propose that we limit this field to a set of characters that are
>> safe. [a-zA-Z0-9_-]{0,100}
>>
>> The authorization server would validate that the state field contains only
>> those characters and if not SHOULD show the resource owner an error
>> (consistent with section 4.1.2.1, paragraph 1 and others).
>>
>> Thank you for all of your hard work on this spec to date and thanks for your
>> consideration of my comments.
>>
>> -Bob
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.34.0 | Report a Bug | By Email | System Status