Re: [OAUTH-WG] Another CSRF attack
Hans Zandbelt <hzandbelt@pingidentity.com> Thu, 05 May 2016 21:00 UTC
Return-Path: <hzandbelt@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9955C12D15B for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 14:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.69
X-Spam-Level:
X-Spam-Status: No, score=-2.69 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwN2-2j7q8ZA for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 14:00:50 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF91E12D0C0 for <oauth@ietf.org>; Thu, 5 May 2016 14:00:49 -0700 (PDT)
Received: by mail-ig0-x22a.google.com with SMTP id bi2so28037951igb.0 for <oauth@ietf.org>; Thu, 05 May 2016 14:00:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=yo+eXHBj1NHeNrTcbH9wFLF0wNFcCsXqfXS47SM98jM=; b=aASsR7UwABD+u5rtzJnP6kBQt7qMV7ei4as3XiXuDhTPyzz62w0R2CosaaYSo0q+CP GMAptxKJHjk8Qpfdp6dAZFSQqtxyUPlb56OL62lPWp+w/hnansf3bQGg/qgY789VUMFf sv5MDzh9U+Plj5km1t5z0UcNy+U05YJlq5x1A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=yo+eXHBj1NHeNrTcbH9wFLF0wNFcCsXqfXS47SM98jM=; b=jyqUXV7ONkMb0HYk4SEI1hApvV8QdDDWQm29hM9Z53j3fo7va26pLDyFP55/Dbv1HR GLE4Fq0NYJrl+1DbtIfPqA9//YNFJ98rh7Rgh8h+plBo6G4io26eKbKQCJzDfKeZw7l/ FlN83oIimPPlTPNNEeWmFPsdaAXV1y1YJkZZGbF8OM9eKpiZ1nhPL3Yj5bcAHwhPYVuY fpLwUx9GT43HPe68XhovpZFCkjvhA8nddpdbMGx70GwNo55NP2VLADictuUe2Oltn3Pt 9ki3ulb0Q+6MzDC657KTwdm2dC73ox8Y/qFX7CKyVRAGMEOBLpfxTIyAKJE8IsmFGddK i41Q==
X-Gm-Message-State: AOPr4FXzmV+82HuCw0wlB4GwO916cNXtjaDzFYcpN2gosY+lKSGcDr2Mh74ddSOgWvN3HWS7PLzFRGECf/lEMOSO
MIME-Version: 1.0
X-Received: by 10.50.224.148 with SMTP id rc20mr6062588igc.73.1462482048977; Thu, 05 May 2016 14:00:48 -0700 (PDT)
Received: by 10.107.132.35 with HTTP; Thu, 5 May 2016 14:00:48 -0700 (PDT)
In-Reply-To: <B0C4E1D9-9D91-426F-8950-C418BE1D0754@mit.edu>
References: <572B551B.5030702@uni-trier.de> <B0C4E1D9-9D91-426F-8950-C418BE1D0754@mit.edu>
Date: Thu, 05 May 2016 23:00:48 +0200
Message-ID: <CALDMGUzJY_4kkKvrYd6DC8ga8TRNfJMDPU=Stz82e+12NtC=wg@mail.gmail.com>
From: Hans Zandbelt <hzandbelt@pingidentity.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="f46d042a0b400572b905321ea351"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ubPmHCYRV4IDLZ9p8KW48N-e7Z8>
Cc: Guido Schmitz <gschmitz@informatik.uni-trier.de>, "<oauth@ietf.org>" <oauth@ietf.org>, ralf Kuesters <kuesters@uni-trier.de>
Subject: Re: [OAUTH-WG] Another CSRF attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 21:00:56 -0000
Also, for OIDC the spec explicitly mentions about the state parameter: "Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by binding the value of this parameter with a browser cookie" which is stronger that what OAuth provides on its own; though it does not not explicitly mention to store the issuer as part of that state, Clients would typically do that using the same mechanism AFAICT. Though this attack may not have been spelled out before, IMHO it falls out of the previously described ones and sending the "state" to the token endpoint was proposed to mitigate using stolen codes to impersonate users whereas per-issuer redirect URIs which were proposed to prevent a code from being stolen. Hans. On Thu, May 5, 2016 at 8:50 PM, Justin Richer <jricher@mit.edu> wrote: > I’ve not heard this attack spelled out like this, but I know that our > client library was explicitly coded to prevent this by remembering the > “issuer” of the outgoing request and tying that to the session and state > value. > > — Justin > > > On May 5, 2016, at 10:13 AM, Daniel Fett <fett@uni-trier.de> wrote: > > > > We found another attack on session integrity (read: a CSRF attack). > > > > This attack breaks the session integrity for clients that allow the use > > of multiple AS where one AS might be malicious. It only works for > > clients that do not use a session or cookie to track which AS a user > > wanted to use when starting the OAuth flow. (We assume that such > > clients, in lack of other options, use different redirection URIs for > > the different AS.) > > > > Let's call the malicious AS AIdP and the honest HIdP. > > > > The attack works as follows: When a user wants to authorize using AIdP, > > AIdP redirects the user back to the redirection URI of HIdP at the > > client. AIdP attaches to this redirection URI the state issued by the > > client, and a authorization code or access token obtained from HIdP. The > > client then believes that the user logged in at HIdP. Hence, the user is > > logged in at the client using the attacker's identity at HIdP or the > > client accesses the attacker's resources at HIdP believing that these > > resources are owned by the user. > > > > This attack should also be applicable to OpenID Connect in all modes. > > > > The obvious fix here is that RP should track in a session or cookie > > where the user wanted to log in. Using different redirection URIs is not > > sufficient. > > > > Can anybody confirm this attack, and whether it was described before? > > > > Cheers, > > Daniel, Guido, Ralf > > > > -- > > Informationssicherheit und Kryptografie > > Universität Trier - Tel. 0651 201 2847 - H436 > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- [image: Ping Identity logo] <https://www.pingidentity.com/> Hans Zandbelt Principal Solutions Architect Ping Identity ------------------------------ [image: CIS 2016] <https://www.cloudidentitysummit.com/en/index.html>
- [OAUTH-WG] Another CSRF attack Daniel Fett
- Re: [OAUTH-WG] Another CSRF attack Justin Richer
- Re: [OAUTH-WG] Another CSRF attack Hans Zandbelt