Re: [OAUTH-WG] open redirect in rfc6749
John Bradley <ve7jtb@ve7jtb.com> Wed, 03 September 2014 16:15 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638C81A0691 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 09:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qu-gshIpDyZG for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 09:15:00 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EC291A035D for <oauth@ietf.org>; Wed, 3 Sep 2014 09:14:47 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id z11so9939845lbi.36 for <oauth@ietf.org>; Wed, 03 Sep 2014 09:14:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lzdkii9xkglVp70+/WKBU9uCjxYzS14HJomEkJ3oOTs=; b=huwRqgBS6TTiQKw7/4G+mUXnY+sRy9i7CTijFVjWLneLvtggUvTDNsUTcXgzfpUqK/ UQfO7U2z9F6UHO+IIdVdk1ZQ2kMpNaCNFyBlrbSsIWTeGYvWl9qbG5gaJARSU9zSuVZx sSHkrhXLGk+7ZK0a9PuFjAISAwWabsEk5nOoMsr2lF9bKGqjjjKsk6JcB5S+99IDR7qu +u/5M7OO0pdX5Q+tu9J7kIOn4Bq47CJZTM2/6HY7zhiEB3OFchyI90qcbmR8XaiwmHVp 8LYq8xScKFgZGX6xknHrZuKc4gUHP5AyG3cbFFVk2Cl99vwTG2Lzldg86sWEjbg7bOUL 2wTw==
X-Gm-Message-State: ALoCoQkYHYHKa14u/J4tSf9eb4AspZ6RKxWDLAG8qtqoleYq0fdaX5vIdUv06eRjn/T+IGY/twOa
X-Received: by 10.152.23.6 with SMTP id i6mr42540885laf.39.1409760885595; Wed, 03 Sep 2014 09:14:45 -0700 (PDT)
Received: from [192.168.49.148] (seabed-1-2-ci.cust.versatel.net. [87.213.30.114]) by mx.google.com with ESMTPSA id js10sm1319158lab.23.2014.09.03.09.14.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 09:14:44 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_5C192E00-5CEB-4032-AA7D-FAA6CA654F84"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <54073D6F.6070203@redhat.com>
Date: Wed, 03 Sep 2014 12:14:37 -0400
Message-Id: <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com>
To: Bill Burke <bburke@redhat.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zzMA7GV7h0lEEli4OMBta4j3LLI
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 16:15:04 -0000
In the example the redirect_uri is vlid for the attacker. The issue is that the AS may be allowing client registrations with arbitrary redirect_uri. In the spec it is unspecified how a AS validates that a client controls the redirect_uri it is registering. I think that if anything it may be the registration step that needs the security consideration. John B. On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com> wrote: > I don't understand. The redirect uri has to be valid in order for a redirect to happen. The spec explicitly states this. > > On 9/3/2014 11:43 AM, Antonio Sanso wrote: >> hi *, >> >> IMHO providers that strictly follow rfc6749 are vulnerable to open redirect. >> Let me explain, reading [0] >> >> If the request fails due to a missing, invalid, or mismatching >> redirection URI, or if the client identifier is missing or invalid, >> the authorization server SHOULD inform the resource owner of the >> error and MUST NOT automatically redirect the user-agent to the >> invalid redirection URI. >> >> If the resource owner denies the access request or if the request >> fails for reasons other than a missing or invalid redirection URI, >> the authorization server informs the client by adding the following >> parameters to the query component of the redirection URI using the >> "application/x-www-form-urlencoded" format, perAppendix B <https://tools.ietf.org/html/rfc6749#appendix-B>: >> >> Now let’s assume this. >> I am registering a new client to the victim.com <http://victim.com> >> provider. >> I register redirect uri attacker.com <http://attacker.com>. >> >> According to [0] if I pass e.g. the wrong scope I am redirected back to >> attacker.com <http://attacker.com>. >> Namely I prepare a url that is in this form: >> >> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com >> >> and this is works as an open redirector. >> Of course in the positive case if all the parameters are fine this >> doesn’t apply since the resource owner MUST approve the app via the >> consent screen (at least once). >> >> A solution would be to return error 400 rather than redirect to the >> redirect URI (as some provider e.g. Google do) >> >> WDYT? >> >> regards >> >> antonio >> >> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1 >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Takahiko Kawasaki
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Torsten Lodderstedt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso