[OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks
David Waite <david@alkaline-solutions.com> Mon, 01 July 2024 17:42 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB810C1519B4 for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 10:42:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oatgVYRSLCSL for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 10:42:55 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FB49C151984 for <oauth@ietf.org>; Mon, 1 Jul 2024 10:42:55 -0700 (PDT)
From: David Waite <david@alkaline-solutions.com>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Message-Id: <693B3196-7CFA-4CF6-98E0-38EE0D7A748D@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D87521B9-456B-4223-8CE1-04846607BDDE"
Mime-Version: 1.0
Date: Mon, 01 Jul 2024 11:42:42 -0600
In-Reply-To: <CAMsdJ+igzBuXf2HRhkLKQyRy7J2JqT9rTu0REe0nhcj0UNyXXg@mail.gmail.com>
To: Chaitanya Reddy <nchaitreddyutilities@gmail.com>
References: <CAMsdJ+igzBuXf2HRhkLKQyRy7J2JqT9rTu0REe0nhcj0UNyXXg@mail.gmail.com>
X-Spamd-Bar: --
Message-ID-Hash: DFH7LD4Z6JDJPTON6COKCPKT6N47KBU7
X-Message-ID-Hash: DFH7LD4Z6JDJPTON6COKCPKT6N47KBU7
X-MailFrom: david@alkaline-solutions.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t7QgOlt8U6qWRdsrk0uDVRr8sb4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hello Chaitanya! This is likely deeper than a sanitization issue. Sanitation would be making sure you don’t output formatting or delimiter characters when manually building up a response, such as including HTML tags like “script” in a state parameter which is dropped into a form as a hidden input field, or using it for a database lookup on the client side without protecting from SQL injection. Instead, these client are not validating the response matches the request they made. This allows a malicious party (browser extension, AS) to modify the request or response. So if the state value is the final location without any integrity checks, an intermediary in the transaction can change this to any value before it is returned to the redirect URI, and treat the client as an open redirector. This client responsibility is mentioned in section 4.7.1 of the OAuth Security BCP. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.7 , albeit in the context of explaining how state has less protocol/security requirements with the addition of PKCE. -DW > On Jun 30, 2024, at 10:50 PM, Chaitanya Reddy <nchaitreddyutilities@gmail.com> wrote: > > Hi Team, > > Hope you are doing well! > > I am writing this mail regarding the discussion of usage of state parameter in the OAuth implementation. > > As per the RFC 6749, "An opaque value is used by the client to maintain state between the request and callback. And it should be used to prevent cross-site request forgery". Since it's an opaque value, OAuth implementors usually don't sanitize the value. > > One of the OAuth 2.0 implementors (Google) have defined state as "You can use this parameter for several purposes, such as directing the user to the correct resource in your application, sending nonces, and mitigating cross-site request forgery" > > The issue arries here due to the fact that Google allows the use of state parameter for directing the users to the correct resource. Since the value in RFC is defined as opaque, they are not sanitizing the value for any possible malicious values. I have observed two instances where clients using Google's OAuth service directly use the state parameter value in Location header to redirect the users hence resulting in header injection attacks. > > As per my understanding, this issue arises due to the fact that: > 1. Google allows state parameter to be used for purpose not defined in RFC. > 2. Google is not sanitizing the state paramater on their end. > 3. Client is also not sanitizing the state paramater and directly using it in the Location header. > > I have raised this issue to google via google VRP but after weeks of communication over the ticket, the engineer feels like they are not in disagreement with the spec and have requested me to discuss it further with your team and hence i am reaching out to you. > > Please let me know your thoughts about this. > > Regards, > Chaitanya Reddy > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org
- [OAUTH-WG] Security Bug | Unintended usage of "st… Chaitanya Reddy
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Neil Madden
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Filip Skokan
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Aaron Parecki
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Chaitanya Reddy
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Neil Madden
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Tom Jones
- [OAUTH-WG] Re: Security Bug | Unintended usage of… David Waite