IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

Anthony Nadalin <tonynad@microsoft.com> Mon, 15 August 2011 14:50 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C106F21F8BFE for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 07:50:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.466
X-Spam-Level:
X-Spam-Status: No, score=-7.466 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4q89-7aRKUp for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 07:50:41 -0700 (PDT)
Received: from smtp.microsoft.com (mail3.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id A534B21F8BF3 for <oauth@ietf.org>; Mon, 15 Aug 2011 07:50:41 -0700 (PDT)
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (157.54.80.48) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 15 Aug 2011 07:51:27 -0700
Received: from VA3EHSOBE008.bigfish.com (157.54.51.112) by mail.microsoft.com (157.54.80.48) with Microsoft SMTP Server (TLS) id 14.1.323.7; Mon, 15 Aug 2011 07:51:26 -0700
Received: from mail143-va3-R.bigfish.com (10.7.14.250) by VA3EHSOBE008.bigfish.com (10.7.40.28) with Microsoft SMTP Server id 14.1.225.22; Mon, 15 Aug 2011 14:51:25 +0000
Received: from mail143-va3 (localhost.localdomain [127.0.0.1]) by mail143-va3-R.bigfish.com (Postfix) with ESMTP id 8C83C18900FB for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 15 Aug 2011 14:51:25 +0000 (UTC)
X-SpamScore: -31
X-BigFish: PS-31(zz9371K542M1432Nzz1202h1082kzz8275ch1033IL8275bh8275dhz31h2a8h668h839h944h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:207.46.4.139; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0302HT013.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail143-va3: transitioning domain of microsoft.com does not designate 207.46.4.139 as permitted sender) client-ip=207.46.4.139; envelope-from=tonynad@microsoft.com; helo=SN2PRD0302HT013.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail143-va3 (localhost.localdomain [127.0.0.1]) by mail143-va3 (MessageSwitch) id 131341988579117_19317; Mon, 15 Aug 2011 14:51:25 +0000 (UTC)
Received: from VA3EHSMHS015.bigfish.com (unknown [10.7.14.238]) by mail143-va3.bigfish.com (Postfix) with ESMTP id F3F79F68055; Mon, 15 Aug 2011 14:51:24 +0000 (UTC)
Received: from SN2PRD0302HT013.namprd03.prod.outlook.com (207.46.4.139) by VA3EHSMHS015.bigfish.com (10.7.99.25) with Microsoft SMTP Server (TLS) id 14.1.225.22; Mon, 15 Aug 2011 14:51:23 +0000
Received: from SN2PRD0302MB137.namprd03.prod.outlook.com ([169.254.5.112]) by SN2PRD0302HT013.namprd03.prod.outlook.com ([10.27.90.203]) with mapi id 14.01.0225.064; Mon, 15 Aug 2011 14:51:22 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, "eran@sled.com" <eran@sled.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
Thread-Topic: [OAUTH-WG] Auth Code Swap Attack
Thread-Index: AcxZImYoC2iZvOhxR/+zEXUukLHDogAF8TGAABMLNgAAEVWRAABSVdeAABFT4dA=
Date: Mon, 15 Aug 2011 14:51:21 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com>
References: <4E46207A.6080404@lodderstedt.net> <CA6BD89B.17E85%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.0.76]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0302HT013.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%HUENIVERSE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%SLED.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%LODDERSTEDT.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14HUBC105.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC105.redmond.corp.microsoft.com
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 14:50:42 -0000

That's nice, four people come up with text and you decide to use your text. Making state optional does nothing to fix the protocol issue, people will get this wrong and have. Our developers have been through this and agreed upon the text that was generated. They find the text in the current draft unacceptable and confusing and think that new text is acceptable. 

So -1 on your text

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Sunday, August 14, 2011 11:32 PM
To: eran@sled.com; Torsten Lodderstedt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

I'm using my proposed text in -21.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf 
> Of Eran Hammer-Lahav
> Sent: Saturday, August 13, 2011 8:14 AM
> To: Torsten Lodderstedt
> Cc: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
> 
> Again, the idea that you can produce a comprehensive description of 
> security threat is impractical if you are going to include every 
> browser-based attack and its remedies. OAuth use of browser 
> redirection imports almost every possible attack vector on the web. That's my point.
> People constantly bring up these attack vectors, and in multiple 
> flavors and variations, as if *anyone* can produce a complete list of these issues.
> 
> Now, this doesn't mean we should not try to be comprehensive but this 
> can go on forever.
> 
> The changes to 10.12 seem reasonable with the exception of the new 
> MUSTs.
> I disagree that we should mandate clients to use the state parameter 
> as the only CSRF protection vector, especially in an evolving web 
> environment. We can still include a MUST for verifying that the user 
> redirected to the authorization server is the same user coming back, 
> and highlight the state parameter as one way to accomplish that.
> 
> How about:
> 
> 
> state: OPTIONAL. An opaque value used by the client to maintain state 
> between the request and redirection. The authorization server includes 
> this value when redirecting the user-agent back to the client. Use of the "state"
> parameter is RECOMMENDED for preventing cross-site request forgery as 
> described in Section 10.12.
> 
> 
> 
> 
> Section 10.12 Cross-Site Request Forgery
> 
> 
> Cross-site request forgery (CSRF) is a web-based attack whereby HTTP 
> requests are transmitted from the user-agent of an end-user the server 
> trusts or has authenticated. CSRF attacks enable the attacker to 
> intermix the attacker's security context with that of the resource 
> owner resulting in a compromise of either the resource server or of the client application itself.
> 
> In the OAuth context, such attacks allow an attacker to inject their 
> own authorization code or access token into the client, which can 
> result in the client associating the attacker's protected resources to 
> the victim's account on the client. Depending on the nature of the 
> client and the protected resources, this can have undesirable and 
> damaging effects. In order to prevent such attacks, the client MUST employ CSRF protection.
> 
> It is strongly RECOMMENDED for the client to utilize the "state" 
> request parameter with authorization requests to the authorization 
> server. When used for CSRF prevention, the "state" request parameter 
> MUST contain a non-guessable value, which the client MUST also store 
> with the resource owner's user-agent in a location accessible only to 
> the client or the resource owner's user-agent (i.e., protected by 
> same-origin policy). For example, the client can using a DOM variable, HTTP cookie, or HTML5 client-side storage.
> 
> 
> When redirecting the resource owner's user-agent back to the client, 
> the authorization server includes the value of the "state" parameter. 
> Upon receiving the redirection request, the client MUST confirm that 
> returned value of the "state" parameter matches the value stored with 
> the resource owner's user-agent.
> 
> 
> EHL
> 
> 
> 
> 
> From:  Torsten Lodderstedt <torsten@lodderstedt.net>
> Date:  Fri, 12 Aug 2011 23:58:02 -0700
> To:  Eran Hammer-lahav <eran@hueniverse.com>
> Cc:  Anthony Nadalin <tonynad@microsoft.com>, "OAuth WG 
> (oauth@ietf.org)"
> <oauth@ietf.org>
> Subject:  Re: [OAUTH-WG] Auth Code Swap Attack
> 
> 
> >
> >
> >
> >
> >
> >
> >
> >    Am 12.08.2011 23:52, schrieb Eran Hammer-Lahav:
> >
> >      This is really just a flavor of CSRF attacks. I have no
> >        objections to better documenting it (though I feel the current
> >        text is already sufficient), but we can't realistically expect
> >        to identify and close every possible browser-based attack. A new
> >        one is invented every other week.
> >
> >
> >      The problem with this text is that developers who do no
> >        understand CSRF attacks are not likely to implement it correctly
> >        with this information. Those who understand it do not need the
> >        extra verbiage which is more confusing than helpful.
> >
> >
> >
> >    We are constantly facing the fact that a comprehensive description
> >    of security threats needs more space than we have in the core draft.
> >    That's the reason why the security document has 63 pages and that's
> >    also the reason why we decided to let the core spec refer to this
> >    document for in-depth explanations. This holds true for this threat
> >    as well.
> >
> >    regards,
> >    Torsten.
> >
> >
> >
> >
> >      As for the new requirements, they are insufficient to
> >        actually accomplish what the authors propose without additional
> >        requirements on state local storage and verification to complete
> >        the flow. Also, the proposed text needs clarifications as noted
> >        below.
> >
> >
> >
> >
> >
> >        From:  Anthony Nadalin <tonynad@microsoft.com>
> >          Date:  Fri, 12 Aug 2011
> >          12:06:36 -0700
> >          To:  "OAuth WG (oauth@ietf.org)"
> >          <oauth@ietf.org>
> >          Subject:  [OAUTH-WG]
> >          Auth Code Swap Attack
> >
> >
> >
> >        >
> >>
> >>
> >>
> >
> >
> >
> >
> >
> >
> >        >
> >>
> >>
> >>
> >>                Recommended
> >>                      Changes to draft-ietf-oauth-v2
> >>
> >>                In section 4, request options (e.g.
> >>                      4.1.1) featuring "state" should change from:
> >>
> >>                state
> >>                OPTIONAL.
> >>                    An opaque value used by the client to maintain state
> >>                    between the request and callback. The authorization
> >>                    server includes this value when redirecting the
> >>                    user-agent back to the client.
> >>
> >>                to:
> >>
> >>                state
> >>                REQUIRED.
> >>                    An opaque value used by the client to maintain state
> >>                    between the request and callback. The authorization
> >>                    server includes this value when redirecting the
> >>                    user-agent back to the client. The encoded value
> >>                    SHOULD enable the client application to determine
> >>                    the user-context that was active at the time of the
> >>                     request (see section 10.12). The value MUST NOT be
> >>                    guessable or predictable, and MUST be kept
> >>                    confidential.
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >      Making the parameter required without making its usage
> >        required (I.e. "value SHOULD enable") accomplishes nothing.
> >        Also, what does "MUST be kept confidential" mean? Confidential
> >        from what? Why specify an "encoded value"?
> >
> >
> >
> >
> >
> >        >
> >>
> >>
> >>
> >>                Section 10.12 Cross-Site Request
> >>                      Forgery
> >>
> >>                Change to:
> >>
> >>                Cross-site
> >>                    request forgery (CSRF) is a web-based attack whereby
> >>                    HTTP requests are transmitted from the user-agent of
> >>                    an end-user the server trusts or has authenticated.
> >>                    CSRF attacks enable the attacker to intermix the
> >>                    attacker's security context with that of
> >>                    the resource owner resulting in a compromise of
> >>                    either the resource server or of the client
> >>                    application itself. In the OAuth context,
> >>                    such attacks allow an attacker to inject their own
> >>                    authorization code or access token into a client,
> >>                    which can result in the client using an access token
> >>                    associated with the attacker's account rather than
> >>                    the victim's. Depending on the nature of the client
> >>                    and the protected resources, this can have
> >>                    undesirable and damaging effects.
> >>
> >>                    In order to prevent such attacks, the client
> >>                    application MUST encode a non-guessable,
> >>                    confidential end-user artifact and submit as the
> >>                    "state" parameter to authorization and access token
> >>                    requests to the authorization server. The client
> >>                    MUST keep the state value in a location accessible
> >>                    only by the client or the user-agent (i.e.,
> >>                    protected by same-origin policy), for example, using
> >>                    a DOM variable, HTTP cookie, or HTML5 client-side
> >>                    storage.
> >>
> >>                    The authorization server includes the value of the
> >>                    "state" parameter when redirecting the user-agent
> >>                    back to the client. Upon receiving a redirect, the
> >>                    client application MUST confirm that returned value
> >>                    of "state" corresponds to the state value of the
> >>                    user-agent's user session. If the end-user session
> >>                    represents an authenticated user-identity, the
> >>                    client MUST ensure that the user-identity has NOT
> >>                    changed.
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >      The above text uses 'user-context' and this 'user-identity'.
> >        Neither term is defined.
> >
> >
> >      EHL
> >
> >
> >
> >      _______________________________________________
> >OAuth mailing list
> >OAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
> >
> >
> >
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email