Re: [OAUTH-WG] State Leakage Attack

2016-04-22 Thread tors...@lodderstedt.net
Hi Daniel, how is the attackers supposed to utilise the leaked state value? I would assume the legit client binds it to a certain user agent, e.g. via the session context, which is not available to the attacker. best regards, Torsten. Originalnachricht Betreff: Re: [OAUTH-WG]

Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

2016-04-22 Thread Fregly, Andrew
Hi George, You have the flow right for how I have been approaching the problem. Note that the client doesn’t have to be a mobile app, but that represents well what we are trying to solve. Per your recommendation, what I am missing in my knowledge is a standard for how the AS could be directed t

Re: [OAUTH-WG] State Leakage Attack

2016-04-22 Thread Antonio Sanso
On Apr 22, 2016, at 4:42 PM, Daniel Fett mailto:f...@uni-trier.de>> wrote: Am 22.04.2016 um 16:39 schrieb Antonio Sanso: hi Daniel On Apr 22, 2016, at 4:35 PM, Daniel Fett mailto:f...@uni-trier.de> > wrote: Hi Antonio, Am 22.04.2016 um 16:30 schrieb Antonio Sanso: H

Re: [OAUTH-WG] State Leakage Attack

2016-04-22 Thread Daniel Fett
Am 22.04.2016 um 16:39 schrieb Antonio Sanso: > hi Daniel > > On Apr 22, 2016, at 4:35 PM, Daniel Fett > wrote: > >> Hi Antonio, >> >> Am 22.04.2016 um 16:30 schrieb Antonio Sanso: Hi all, During our formal analysis of OAuth we found an attack that allows

Re: [OAUTH-WG] State Leakage Attack

2016-04-22 Thread Daniel Fett
Am 22.04.2016 um 16:35 schrieb Daniel Fett: > The attack is not based on a manipulation of the redirect_uri. Instead, > a correct redirect_uri is used, but the page loaded from the > redirect_uri contains links or external resources (intentionally or not). (This of course describes our attack, not

Re: [OAUTH-WG] State Leakage Attack

2016-04-22 Thread Antonio Sanso
hi Daniel On Apr 22, 2016, at 4:35 PM, Daniel Fett mailto:f...@uni-trier.de>> wrote: Hi Antonio, Am 22.04.2016 um 16:30 schrieb Antonio Sanso: Hi all, During our formal analysis of OAuth we found an attack that allows CSRF. It is similar to the "code" leak described by Homakov in [1] and there

Re: [OAUTH-WG] State Leakage Attack

2016-04-22 Thread Daniel Fett
Hi Antonio, Am 22.04.2016 um 16:30 schrieb Antonio Sanso: >> Hi all, >> >> During our formal analysis of OAuth we found an attack that allows >> CSRF. It is similar to the "code" leak described by Homakov in [1] and >> therefore not really surprising. In this attack, the intention for an >> attack

Re: [OAUTH-WG] State Leakage Attack

2016-04-22 Thread Antonio Sanso
hi Daniel On Apr 22, 2016, at 4:20 PM, Daniel Fett wrote: > Hi all, > > During our formal analysis of OAuth we found an attack that allows > CSRF. It is similar to the "code" leak described by Homakov in [1] and > therefore not really surprising. In this attack, the intention for an > attacker

[OAUTH-WG] Multi-AS State Re-Use

2016-04-22 Thread Daniel Fett
Hi all, Besides the state leakage attack we found that another important fact regarding state is underspecified: Each state value should only be used for one run of the protocol, in particular, each AS should see a different state in multi-AS settings. Clients might be tempted to generate state on

[OAUTH-WG] State Leakage Attack

2016-04-22 Thread Daniel Fett
Hi all, During our formal analysis of OAuth we found an attack that allows CSRF. It is similar to the "code" leak described by Homakov in [1] and therefore not really surprising. In this attack, the intention for an attacker is to steal the "state" value instead of the "code" value. Setting: In