On Apr 22, 2016, at 4:42 PM, Daniel Fett <f...@uni-trier.de<mailto:f...@uni-trier.de>> wrote:
Am 22.04.2016 um 16:39 schrieb Antonio Sanso: hi Daniel On Apr 22, 2016, at 4:35 PM, Daniel Fett <f...@uni-trier.de<mailto:f...@uni-trier.de> <mailto:f...@uni-trier.de>> wrote: Hi Antonio, Am 22.04.2016 um 16:30 schrieb Antonio Sanso: Hi all, During our formal analysis of OAuth we found an attack that allows CSRF. It is similar to the "code" leak described by Homakov in [1] and therefore not really surprising. In this attack, the intention for an attacker is to steal the "state" value instead of the "code" value. Setting: In the auth code grant, after authentication to the AS, the user is redirected to some page on the Client. If this page leaks the referrer, i.e., there is a link to the attacker's website or some resource is loaded from the attacker, then the attacker can see not only code but also state in the Referer header of the request. The fact that code can leak was described in [1]. Since code is single-use, it might be already redeemed in most cases when it is sent to the attacker. probably is not redeemed instead, just because the redirect_uri is not the correct one. The mitigation that good implemented AS use (also Github) is to follow section 4.1.3 the OAuth core specification [RFC6749], in particular: "ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical." The attack is not based on a manipulation of the redirect_uri. Instead, a correct redirect_uri is used, but the page loaded from the redirect_uri contains links or external resources (intentionally or not). right. so is not really [1] :) since there there is manipulation using /../../ Of course. Now the real question why a legit redirect_uri should contain links to malicious external resources? Well, why not? :) Anyway, developers should be made aware that having external resources/links on these pages is a bad idea. agree about the awareness. It is more likely that such a page contains resource/links e.g. in the form of <script src=“ to not malicious target. E.g. if the page is using angular than there is <script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.2.23/angular.js";></script> . In this case IMHO this is more a privacy issue rather than a real security threat. regards antonio - Daniel -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
