Re: [OAUTH-WG] validate authorization code in draft 12

Fri, 04 Mar 2011 19:11:20 -0800 

Huilan,
In the context of the OAuth protocol, can you describe how an innocent user can cause the right context and state to be established, and why a DDoS attacker can't accomplish the same, without making assumption on additional security measures that are not mandated or recommended by the OAuth specification? 

Best regards,
Eric




On Fri, Mar 4, 2011 at 10:36 AM, Lu, Hui-Lan 
(Huilan)<huilan...@alcatel-lucent.com>wrote:


   Eric,

   I'm confused. I didn't talk about an attacker impersonating Rob. At
   any rate, inasmuch as we are back to square one, I would maintain
   that receipt of an authorization code by the client alone is not
   sufficient for causing it to issue an access token request to the
   authorization server. The client has to have the right context and
   be in the right state for that to happen. I should say that it is
   valid to address DDoS attacks. At issue is only the plausibility of
   the chain reaction suggested.


   Best regards,
   Huilan

   ________________________________

           From:pf...@cs.stanford.edu
   <mailto:pf...@cs.stanford.edu>[mailto:pf...@cs.stanford.edu
   <mailto:pf...@cs.stanford.edu>]
           Sent: Friday, March 04, 2011 1:23 AM
           To: Lu, Hui-Lan (Huilan)
           Cc:pf...@cs.stanford.edu <mailto:pf...@cs.stanford.edu>;
   Torsten Lodderstedt;oauth@ietf.org <mailto:oauth@ietf.org>
           Subject: Re: [OAUTH-WG] validate authorization code in draft 12


           Hi Huilan,

           The vulnerability being mentioned here is not that an
   attacker impersonates Rob. Please refer to the original discussion
   below:
           "The issue is that according to the current draft, someone
   who owns a botnet can locate the redirect URIs of clients that
   listen on HTTP, and access them with random authorization codes, and
   cause HTTPS connections to be made on the Authorization Server (AS).
   There are a few things that the attacker can achieve with this OAuth
   flow that he cannot easily achieve otherwise : ..."

           The point 3. about the state parameter/CSRF defense is that
   they can have the beneficial effect of making the above attack more
   difficult, but does not prevent it.

           Best regards,
           Eric




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to