IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

John Bradley <ve7jtb@ve7jtb.com> Wed, 03 September 2014 16:15 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638C81A0691 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 09:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qu-gshIpDyZG for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 09:15:00 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EC291A035D for <oauth@ietf.org>; Wed, 3 Sep 2014 09:14:47 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id z11so9939845lbi.36 for <oauth@ietf.org>; Wed, 03 Sep 2014 09:14:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lzdkii9xkglVp70+/WKBU9uCjxYzS14HJomEkJ3oOTs=; b=huwRqgBS6TTiQKw7/4G+mUXnY+sRy9i7CTijFVjWLneLvtggUvTDNsUTcXgzfpUqK/ UQfO7U2z9F6UHO+IIdVdk1ZQ2kMpNaCNFyBlrbSsIWTeGYvWl9qbG5gaJARSU9zSuVZx sSHkrhXLGk+7ZK0a9PuFjAISAwWabsEk5nOoMsr2lF9bKGqjjjKsk6JcB5S+99IDR7qu +u/5M7OO0pdX5Q+tu9J7kIOn4Bq47CJZTM2/6HY7zhiEB3OFchyI90qcbmR8XaiwmHVp 8LYq8xScKFgZGX6xknHrZuKc4gUHP5AyG3cbFFVk2Cl99vwTG2Lzldg86sWEjbg7bOUL 2wTw==
X-Gm-Message-State: ALoCoQkYHYHKa14u/J4tSf9eb4AspZ6RKxWDLAG8qtqoleYq0fdaX5vIdUv06eRjn/T+IGY/twOa
X-Received: by 10.152.23.6 with SMTP id i6mr42540885laf.39.1409760885595; Wed, 03 Sep 2014 09:14:45 -0700 (PDT)
Received: from [192.168.49.148] (seabed-1-2-ci.cust.versatel.net. [87.213.30.114]) by mx.google.com with ESMTPSA id js10sm1319158lab.23.2014.09.03.09.14.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 09:14:44 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_5C192E00-5CEB-4032-AA7D-FAA6CA654F84"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <54073D6F.6070203@redhat.com>
Date: Wed, 03 Sep 2014 12:14:37 -0400
Message-Id: <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com>
To: Bill Burke <bburke@redhat.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zzMA7GV7h0lEEli4OMBta4j3LLI
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 16:15:04 -0000

In the example the redirect_uri is vlid for the attacker.

The issue is that the AS may be allowing client registrations with arbitrary redirect_uri.

In the spec it is unspecified how a AS validates that a client controls the redirect_uri it is registering.

I think that if anything it may be the registration step that needs the security consideration.

John B.

On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com> wrote:

> I don't understand.  The redirect uri has to be valid in order for a redirect to happen.  The spec explicitly states this.
> 
> On 9/3/2014 11:43 AM, Antonio Sanso wrote:
>> hi *,
>> 
>> IMHO providers that strictly follow rfc6749 are vulnerable to open redirect.
>> Let me explain, reading [0]
>> 
>> If the request fails due to a missing, invalid, or mismatching
>>    redirection URI, or if the client identifier is missing or invalid,
>>    the authorization server SHOULD inform the resource owner of the
>>    error and MUST NOT automatically redirect the user-agent to the
>>    invalid redirection URI.
>> 
>>    If the resource owner denies the access request or if the request
>>    fails for reasons other than a missing or invalid redirection URI,
>>    the authorization server informs the client by adding the following
>>    parameters to the query component of the redirection URI using the
>>    "application/x-www-form-urlencoded" format, perAppendix B  <https://tools.ietf.org/html/rfc6749#appendix-B>:
>> 
>> Now let’s assume this.
>> I am registering a new client to the victim.com <http://victim.com>
>> provider.
>> I register redirect uri attacker.com <http://attacker.com>.
>> 
>> According to [0] if I pass e.g. the wrong scope I am redirected back to
>> attacker.com <http://attacker.com>.
>> Namely I prepare a url that is in this form:
>> 
>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com
>> 
>> and this is works as an open redirector.
>> Of course in the positive case if all the parameters are fine this
>> doesn’t apply since the resource owner MUST approve the app via the
>> consent screen (at least once).
>> 
>> A solution would be to return error 400 rather than redirect to the
>> redirect URI (as some provider e.g. Google do)
>> 
>> WDYT?
>> 
>> regards
>> 
>> antonio
>> 
>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email