[OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks
Aaron Parecki <aaron@parecki.com> Mon, 01 July 2024 13:05 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1179C151061 for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 06:05:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8Z9BSByBl-L for <oauth@ietfa.amsl.com>; Mon, 1 Jul 2024 06:05:20 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7EC7C18DB89 for <oauth@ietf.org>; Mon, 1 Jul 2024 06:05:20 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-79d5d14fa8bso373192285a.0 for <oauth@ietf.org>; Mon, 01 Jul 2024 06:05:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1719839118; x=1720443918; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GpZvn74kv6f3G4mdga6p6oZM7hIqEWdA5d2WpJDHIbk=; b=MkWQe/P6PQdvUWk6KuyLqESkm4THrpHbvZIF5oR4hevuQAAt2ePhjfpwN3VMDlOeQG cNL9D9RFBas6p5uLGwxFcoHpJGmy+CrxYtLAXAAL8J6egBBp4D4wDBNF8RW787KFcSAR T9NlI1X5LJ3Rp2/CyHX/qjI29TQgZSbDho3xx4TDgzFTOC1vAIkMQbYflE0o+gcWeSU3 kgvIdaKoZCBB5/DFNMGKCTFXdS5kkHo3i4n29mRraCSv9hnZgO/plmuXw7/mI2gUPQAh 9JHosCMCiIJQln0jekUmdiHLAZ6WLqj12LicwPAQpSKSy9Z6BfF3y/6NhtTE7Xkdwh/q PNSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719839118; x=1720443918; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GpZvn74kv6f3G4mdga6p6oZM7hIqEWdA5d2WpJDHIbk=; b=LY/ivcHUmhu/uW/v3yC9ZqtCtxROjgN4ynxqKWMo9x77jLIm30KQvvwLmLdSDP3Ylz /AXy3m22dNW8cTWC8wA1WA4Xa1nHaskdVmgfOgrV1EYeIze+39wsOApMmY2Z3vuUYsO4 SfZDcl95ykiCfNFzddWjPMnsgTA8C45lnwmldSd6oErl3ucEqBE0b1YcNW6rPGcJFd2q BaSbPf6ik3WOon+XEy8CErNpzvO2WpUPE1I3MZZ8Kp56cMYSYNWmpXdCh+tQq9LIb6kS cGLQ3ORJpVF5iX70oVXrgLH91AQ3CUyMzYrC1T9mCDrfy+4VYMs9mUKKjSvWOQdylP5t TBTA==
X-Gm-Message-State: AOJu0YxE9Tr1bub676VV41JZpc5sLEjbgMY4Me354qofk4fa9GMxAgXR XtUddOW582l+9j8ks4KR6u6BuWNVBuQMspyXdPnEvGnt40x2QdCBWDXXgYlkBdMZM+17bhlHQQc =
X-Google-Smtp-Source: AGHT+IH5qku26CcvnA/ScE/5yMqita3P6y7A4JsbEcUMM5usKHRFY292CgUCdo1WvxiwFxju+38CSw==
X-Received: by 2002:a05:620a:8d5:b0:79b:bcee:d627 with SMTP id af79cd13be357-79d7b810e6dmr789952185a.35.1719839118412; Mon, 01 Jul 2024 06:05:18 -0700 (PDT)
Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com. [209.85.219.49]) by smtp.gmail.com with ESMTPSA id af79cd13be357-79d6927a81dsm346228385a.31.2024.07.01.06.05.17 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Jul 2024 06:05:18 -0700 (PDT)
Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-6b593387daaso30585206d6.1 for <oauth@ietf.org>; Mon, 01 Jul 2024 06:05:17 -0700 (PDT)
X-Received: by 2002:a05:6214:e6a:b0:6b5:198e:353d with SMTP id 6a1803df08f44-6b5a541bfcbmr120501966d6.10.1719839117521; Mon, 01 Jul 2024 06:05:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAMsdJ+igzBuXf2HRhkLKQyRy7J2JqT9rTu0REe0nhcj0UNyXXg@mail.gmail.com> <CALAqi_9f-M_=c9pdbSH=iFmAv3iYXdBA8d4XhzgJV66i+5e1hA@mail.gmail.com>
In-Reply-To: <CALAqi_9f-M_=c9pdbSH=iFmAv3iYXdBA8d4XhzgJV66i+5e1hA@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 01 Jul 2024 06:05:06 -0700
X-Gmail-Original-Message-ID: <CAGBSGjq3sOrRXLcTH70nx8ttBXNVXcd4j7LaWBye1LC2SBj=dw@mail.gmail.com>
Message-ID: <CAGBSGjq3sOrRXLcTH70nx8ttBXNVXcd4j7LaWBye1LC2SBj=dw@mail.gmail.com>
To: Chaitanya Reddy <nchaitreddyutilities@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000abc4a1061c2f3f1d"
Message-ID-Hash: JRFQM6BV72WDVLXLBED2N233EULCG3V6
X-Message-ID-Hash: JRFQM6BV72WDVLXLBED2N233EULCG3V6
X-MailFrom: aaron@parecki.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Security Bug | Unintended usage of "state" parameter can lead to Header Injection Attacks
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tn43cGJRo6c5mRq-o-cCcE_GjAg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I also agree that the burden is on the client to not become an Open Redirector by blindly copying the value of the state parameter into a Location header. However, the OAuth Security BCP does make the additional requirement that clients MUST prevent CSRF attacks: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1 Clients that have ensured that the authorization server supports Proof Key > for Code Exchange (PKCE, [RFC7636]) MAY rely on the CSRF protection > provided by PKCE. In OpenID Connect flows, the nonce parameter provides > CSRF protection. Otherwise, one-time use CSRF tokens carried in the state > parameter that are securely bound to the user agent MUST be used for CSRF > protection (see Section 4.7.1). Using a hardcoded value for state does not provide CSRF protection, and there is no mention of PKCE in the Google API docs https://developers.google.com/identity/protocols/oauth2/web-server#httprest_1 So I would say it's the client's problem that it is possibly an Open Redirector and also does not have CSRF protection. You could make the argument that the authorization server should try to prevent the client from using a hardcoded state value, but ultimately the responsibility is on the client. Aaron On Mon, Jul 1, 2024 at 5:43 AM Filip Skokan <panva.ip@gmail.com> wrote: > Hello Chaitanya. > > The AS is to treat the state value as an opaque string, merely echoing it > back to the client, at most the AS is required to ensure the state's syntax > is within its ABNF definition, then send its exact value back with the > authorization response. > > I don't find this particular AS implementation's documentation-defined > state use to fall outside of its intended use. Of course it could come with > more guidance on how to achieve those particular purposes securely, so that > the client doesn't become an Open Redirector > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-client-as-open-redirector> > . > > S pozdravem, > *Filip Skokan* > > > On Mon, 1 Jul 2024 at 14:20, Chaitanya Reddy < > nchaitreddyutilities@gmail.com> wrote: > >> Hi Team, >> >> Hope you are doing well! >> >> I am writing this mail regarding the discussion of usage of *state* >> parameter in the OAuth implementation. >> >> As per the RFC 6749, "*An opaque value is used by the client to maintain >> state between the request and callback. And it should be used to prevent >> cross-site request forgery*". Since it's an opaque value, OAuth >> implementors usually don't sanitize the value. >> >> One of the OAuth 2.0 implementors (Google) have defined state as "*You >> can use this parameter for several purposes, such as directing the user to >> the correct resource in your application, sending nonces, and mitigating >> cross-site request forgery*" >> >> The issue arries here due to the fact that Google allows the use of state >> parameter for directing the users to the correct resource. Since the value >> in RFC is defined as *opaque, *they are not sanitizing the value for any >> possible malicious values. I have observed two instances where clients >> using Google's OAuth service directly use the state parameter value in *Location >> header *to redirect the users hence resulting in header injection >> attacks. >> >> As per my understanding, this issue arises due to the fact that: >> 1. Google allows state parameter to be used for purpose not defined in >> RFC. >> 2. Google is not sanitizing the state paramater on their end. >> 3. Client is also not sanitizing the state paramater and directly using >> it in the *Location* header. >> >> I have raised this issue to google via google VRP but after weeks of >> communication over the ticket, the engineer feels like they are not in >> disagreement with the spec and have requested me to discuss it further with >> your team and hence i am reaching out to you. >> >> Please let me know your thoughts about this. >> >> Regards, >> Chaitanya Reddy >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Security Bug | Unintended usage of "st… Chaitanya Reddy
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Neil Madden
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Filip Skokan
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Aaron Parecki
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Chaitanya Reddy
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Neil Madden
- [OAUTH-WG] Re: Security Bug | Unintended usage of… Tom Jones
- [OAUTH-WG] Re: Security Bug | Unintended usage of… David Waite