IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

Phil Hunt <phil.hunt@oracle.com> Wed, 07 September 2011 03:41 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B14621F8D9E for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 20:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.157
X-Spam-Level:
X-Spam-Status: No, score=-5.157 tagged_above=-999 required=5 tests=[AWL=1.442, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsGGT2lYY8fX for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 20:41:01 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id D380021F8DB7 for <oauth@ietf.org>; Tue, 6 Sep 2011 20:41:00 -0700 (PDT)
Received: from rtcsinet22.oracle.com (rtcsinet22.oracle.com [66.248.204.30]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p873gj1R030302 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 7 Sep 2011 03:42:47 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by rtcsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p873ghw8025491 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Sep 2011 03:42:44 GMT
Received: from abhmt104.oracle.com (abhmt104.oracle.com [141.146.116.56]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p873garL002917; Tue, 6 Sep 2011 22:42:36 -0500
Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 06 Sep 2011 20:42:36 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="windows-1252"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D8@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 06 Sep 2011 20:42:38 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF75767C-ECFF-438D-A002-AB1DE1F55BA9@oracle.com>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723BA5043@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA6AE9D9.17DE9%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CE8D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72345029DFA961@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E5148A8.8070903@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234518A292F49@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E5494D4.4060109@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234518A293491@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E7263E772F@SN2PRD0302MB137.namprd03.prod.outlook.com> <1314299478.57208.YahooMailNeo@web31812.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D6@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D8@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1084)
X-Source-IP: rtcsinet22.oracle.com [66.248.204.30]
X-CT-RefId: str=0001.0A090209.4E66E838.0026,ss=1,re=-2.300,fgs=0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>, "eran@sled.com" <eran@sled.com>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 03:41:02 -0000

Eran,

Just took a look at the text. This new version looks much improved. I think this is a good compromise.

Thanks,

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2011-09-04, at 4:25 PM, Eran Hammer-Lahav wrote:

> The corresponding 'state' parameter definition:
> 
>                RECOMMENDED. An opaque value used by the client to maintain state between the request
>                and callback. The authorization server includes this value when redirecting the
>                user-agent back to the client. The parameter SHOULD be used for preventing
>                cross-site request forgery as described in section 10.12.
> 
> EHL
> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Eran Hammer-Lahav
>> Sent: Sunday, September 04, 2011 4:20 PM
>> To: William J. Mills; Anthony Nadalin; Torsten Lodderstedt
>> Cc: OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>> This is my proposed text for -21 (based on Bill's text as a starting point):
>> 
>> 10.12.  Cross-Site Request Forgery
>> 
>>   Cross-site request forgery (CSRF) is an exploit in which an attacker
>>   causes the user-agent of a victim end-user to follow a malicious URI
>>   (e.g. provided to the user-agent as a misleading link, image, or
>>   redirection) to a trusting server (usually established via the
>>   presence of a valid session cookie).
>> 
>>   A CSRF attack against the client's redirection URI allows an attacker
>>   to inject their own authorization code or access token, which can
>>   result in the client using an access token associated with the
>>   attacker's protected resources rather than the victim's (e.g. save
>>   the victim's bank account information to a protected resource
>>   controlled by the attacker).
>> 
>>   The client MUST implement CSRF protection for its redirection URI.
>>   This is typically accomplished by requiring any request sent to the
>>   redirection URI endpoint to include a value that binds the request to
>>   the user-agent's authenticated state (e.g. a hash of the session
>>   cookie used to authentication the user-agent).  The client SHOULD
>>   utilize the "state" request parameter to deliver this value to the
>>   authorization server when making an authorization request.
>> 
>>   Once authorization has been obtained from the end-user, the
>>   authorization server redirects the end-user's user-agent back to the
>>   client with the required binding value contained in the "state"
>>   parameter.  The binding value enables the client to validate the
>>   validity of the request by matching the binding value to the user-
>>   agent's authenticated state.  The binding value used for CSRF
>>   protection MUST contain a non-guessable value, and the user-agent's
>>   authenticated state (e.g. session cookie, HTML5 local storage) MUST
>>   be kept in a location accessible only to the client and the user-
>>   agent (i.e., protected by same-origin policy).
>> 
>>   A CSRF attack against the against the authorization server's
>>   authorization endpoint can result in an attacker obtaining end-user
>>   authorization for a malicious client without involving or alerting
>>   the end-user.
>> 
>>   The authorization server MUST implement CSRF protection for its
>>   authorization endpoint, and ensure that a malicious client cannot
>>   obtain authorization without the awareness and explicit consent of
>>   the resource owner.
>> 
>> EHL
>> 
>> 
>> From: William J. Mills [mailto:wmills@yahoo-inc.com]
>> Sent: Thursday, August 25, 2011 12:11 PM
>> To: Anthony Nadalin; Eran Hammer-Lahav; Torsten Lodderstedt
>> Cc: OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>> I had proposed text, and I'll reprise it here with a modification to make the
>> authorizaton server related explicit.
>> 
>> 10.12.  Cross-Site Request Forgery
>> 
>> Cross-site request forgery (CSRF) is an attack whereby malicious URLs are
>> sent to the user-agent of an end user (generally as hidden links or images)
>> and transmitted from the user-agent the server trusts or has authenticated.
>> The most commonly exploited mechanism for this is credentials held in
>> cookies automatically presented by a web browser.  CSRF attacks against the
>> client's redirection URI allow an attacker to inject their own authorization
>> code or access token, which can result in the client using an access token
>> associated with the attacker's account rather than the victim's.  CSRF attacks
>> are also possible against an authorization endpoint resulting in delivering a
>> user credential to an attacker.
>> 
>> Client applications MUST implement CSRF protection for the redirection
>> URI.  CSRF protection for a request is data included in the request that ties
>> that request to the user's authenticated state, i.e. a cryptographic signature
>> of the user credential and the redirection URI path.  Upon receipt of a
>> request the client application computes the CSRF data based on the
>> presented credential and compares that to the CSRF protection data
>> presented in the request.  CSRF protection data MUST contain a non-
>> guessable value, and the client MUST keep it in a location accessible only by
>> the client or the user-agent (i.e., protected by same-origin policy). The
>> "state" redirection URI parameter is provided as one method of carrying
>> CSRF protection data, and is RECOMMENDED to provide the greatest
>> compatibility with systems implementing strong redirection URI validation.
>> 
>> Authorization servers MUST implement CSRF protection for authorization
>> requests, use of the "state" parameter is RECOMMENDED as the way to
>> transmit the CSRF protection data.  The CSRF protection data MUST contain a
>> non-guessable value, and MUST be presented as part of the authorization
>> request data (e.g. not as a cookie).  Authorization servers MAY use proof of
>> previous  authorization by a user for a client in lieu of explicit CSRF protection.
>> 
>> For example, using a DOM variable, HTTP cookie, or HTML5 client-side
>> storage.  The authorization server includes the value of the "state"
>> parameter when redirecting the user-agent back to the client which MUST
>> then validate the received value against the stored value, or by recomputing
>> the expected value of the CSRF protection data and comparing that to the
>> value presented.
>> 
>> 
>> 
>> ________________________________________
>> From: Anthony Nadalin <tonynad@microsoft.com>
>> To: Eran Hammer-Lahav <eran@hueniverse.com>; Torsten Lodderstedt
>> <torsten@lodderstedt.net>
>> Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
>> Sent: Thursday, August 25, 2011 8:11 AM
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack I have not seen any
>> updated text, so I don’t believe we have consensus. Also we have a flawed
>> protocol and we are not providing a fix, suggest that MUST be on the state
>> also unless someone has a better fix
>> 
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Eran Hammer-Lahav
>> Sent: Wednesday, August 24, 2011 7:54 AM
>> To: Torsten Lodderstedt
>> Cc: OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>> I believe we have full consensus on this approach.
>> 
>> EHL
>> 
>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>> Sent: Tuesday, August 23, 2011 11:06 PM
>> To: Eran Hammer-Lahav
>> Cc: OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>> making CSRF prevention a MUST and recommending the state parameter as
>> implementation pattern is ok with me.
>> 
>> regards,
>> Torsten.
>> 
>> Am 21.08.2011 21:02, schrieb Eran Hammer-Lahav:
>> I light to the recent discussion, do you still feel that changing ‘state’ from
>> optional to required is the best approach?
>> 
>> EHL
>> 
>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>> Sent: Sunday, August 21, 2011 11:04 AM
>> To: Eran Hammer-Lahav
>> Cc: OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>> My intention is to require clients to implement CSRF prevention. I thought
>> making the state parameter mandatory would be the straightforward way.
>> 
>> regards,
>> Torsten.
>> 
>> Am 18.08.2011 08:04, schrieb Eran Hammer-Lahav:
>> I would like to hear from the other 3 authors of the proposed change about
>> their reasons for changing the use of ‘state’ from recommended to required
>> for CSRF prevention. It would also help moving this issue forward if the 4
>> authors can provide answers or clarifications on the issues raised below.
>> 
>> Assuming we can count all 4 authors are in favor of making the change, I
>> believe we have a tie (4:4) and therefore no consensus for making it (as of
>> this point). However, we did identify issues with the section’s language and
>> clarity which we should address either way.
>> 
>> To clarify – I am not proposing we close this issue just yet.
>> 
>> EHL
>> 
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Eran Hammer-Lahav
>> Sent: Monday, August 15, 2011 9:35 AM
>> To: OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>> To demonstrate why making state required as proposed isn’t very helpful,
>> here is an incomplete list of other requirements needed to make an
>> effective CSRF:
>> 
>> * State value must not be empty (a common bug in many implementations
>> using simple value comparison).
>> 
>> * ‘Non-guessable’ isn’t sufficient as most developers will simply use a hash of
>> the session cookie, with or without salt which isn’t sufficient. We use “cannot
>> be generated, modified, or guessed to produce valid values” elsewhere in
>> the document, but this is much easier to get right for access tokens and
>> refresh tokens than CSRF tokens which are often just some algorithm on top
>> of the session cookie.
>> 
>> * State CSRF value should be short-lived or based on a short-lived session
>> cookie to prevent the use of a leaked state value in multiple attacks on the
>> same user session once the leak is no longer viable.
>> 
>> In addition, this is not what “state” was originally intended for. If the working
>> group decides to mandate a CSRF parameter, it should probably be a new
>> parameter with a more appropriate name (e.g. ‘csrf’). By forcing clients to
>> use “state” for this purpose, developers will need to use dynamic queries for
>> other state information which further reduces the security of the protocol
>> (as the draft recommends not using dynamic callback query components).
>> Encoding both CSRF tokens and other state information can be non-intuitive
>> or complicated for some developers/platforms.
>> 
>> EHL
>> 
>> 
>> 
>> 
>> From: Eran Hammer-Lahav
>> Sent: Friday, August 12, 2011 2:53 PM
>> To: Anthony Nadalin; OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>> 
>> This is really just a flavor of CSRF attacks. I have no objections to better
>> documenting it (though I feel the current text is already sufficient), but we
>> can't realistically expect to identify and close every possible browser-based
>> attack. A new one is invented every other week.
>> 
>> The problem with this text is that developers who do no understand CSRF
>> attacks are not likely to implement it correctly with this information. Those
>> who understand it do not need the extra verbiage which is more confusing
>> than helpful.
>> 
>> As for the new requirements, they are insufficient to actually accomplish
>> what the authors propose without additional requirements on state local
>> storage and verification to complete the flow. Also, the proposed text needs
>> clarifications as noted below.
>> 
>> 
>> From: Anthony Nadalin <tonynad@microsoft.com>
>> Date: Fri, 12 Aug 2011 12:06:36 -0700
>> To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
>> Subject: [OAUTH-WG] Auth Code Swap Attack
>> 
>> 
>> 
>> Recommended Changes to draft-ietf-oauth-v2
>> 
>> In section 4, request options (e.g. 4.1.1) featuring "state" should change
>> from:
>> 
>> state
>> OPTIONAL. An opaque value used by the client to maintain state between
>> the request and callback. The authorization server includes this value when
>> redirecting the user-agent back to the client.
>> 
>> to:
>> 
>> state
>> REQUIRED. An opaque value used by the client to maintain state between
>> the request and callback. The authorization server includes this value when
>> redirecting the user-agent back to the client. The encoded value SHOULD
>> enable the client application to determine the user-context that was active at
>> the time of the  request (see section 10.12). The value MUST NOT be
>> guessable or predictable, and MUST be kept confidential.
>> 
>> 
>> Making the parameter required without making its usage required (I.e.
>> "value SHOULD enable") accomplishes nothing. Also, what does "MUST be
>> kept confidential" mean? Confidential from what? Why specify an "encoded
>> value"?
>> 
>> 
>> Section 10.12 Cross-Site Request Forgery
>> 
>> Change to:
>> 
>> Cross-site request forgery (CSRF) is a web-based attack whereby HTTP
>> requests are transmitted from the user-agent of an end-user the server
>> trusts or has authenticated. CSRF attacks enable the attacker to intermix the
>> attacker's security context with that of the resource owner resulting in a
>> compromise of either the resource server or of the client application itself. In
>> the OAuth context, such attacks allow an attacker to inject their own
>> authorization code or access token into a client, which can result in the client
>> using an access token associated with the attacker's account rather than the
>> victim's. Depending on the nature of the client and the protected resources,
>> this can have undesirable and damaging effects.
>> 
>> In order to prevent such attacks, the client application MUST encode a non-
>> guessable, confidential end-user artifact and submit as the "state" parameter
>> to authorization and access token requests to the authorization server. The
>> client MUST keep the state value in a location accessible only by the client or
>> the user-agent (i.e., protected by same-origin policy), for example, using a
>> DOM variable, HTTP cookie, or HTML5 client-side storage.
>> 
>> The authorization server includes the value of the "state" parameter when
>> redirecting the user-agent back to the client. Upon receiving a redirect, the
>> client application MUST confirm that returned value of "state" corresponds
>> to the state value of the user-agent's user session. If the end-user session
>> represents an authenticated user-identity, the client MUST ensure that the
>> user-identity has NOT changed.
>> 
>> 
>> The above text uses 'user-context' and this 'user-identity'. Neither term is
>> defined.
>> 
>> EHL
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email