Nara Institute of Science and Technology l Student (M2) l Research on ID Federation Security l OAuth, OpenID Connect l SECCON Beginners CTF Writer X : @melonattacker
Spread of social login Normal Login Web app A Web app B Web app C Cred Cred Cred Cred Burden increace Burden decreace Social Login Web app A Web app B Web app C
User Relying Party (RP) ID Provider (IdP) 2. ID Token Leave user authentication to an external service (IdP) 1. Authentication Token containing user attribute information
Connect(OIDC) Access Token Token that allows access to user resources Can also issue tokens that allow access to user resources User Relying Party (RP) ID Provider (IdP)
profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb URL to redirect RP IdP User Authentication Request
"Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhb…KMzqg" } RP IdP User Token response Access Token Used by the RP to acquire user resources
"Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhb…KMzqg" } RP IdP User Token response ID Token Used for user authentication in the RP
l Multiple entities interact l Potential vulnerabilities exist throughout the auth flow l Checking behavior during the auth flow operations is essential l Customizing scenarios flexibly is essential to address various vulnerabilities Vuln User RP IdP
l Multiple entities interact l Potential vulnerabilities exist throughout the auth flow l Checking behavior during the auth flow operations is essential l Customizing scenarios flexibly is essential to address various vulnerabilities Vuln User RP IdP
l Multiple entities interact l Potential vulnerabilities exist throughout the auth flow l Checking behavior during the auth flow operations is essential l Customizing scenarios flexibly is essential to address various vulnerabilities Vuln Research Objective : Create a test tool that allows for highly customizable scenarios User RP IdP
vulnerability l Resulting from improper implementation of the specification l Indicated in specification’s Security Consideration l Implementation-Based vulnerability l Resulting from implementation outside of specification l Vulnerabilities registered as CVE, etc. Test Issue 1 : Test coverage
Resulting from implementation methods such as unique protocol extensions and session management l Vulnerabilities due to using server/database l Resulting from improper use of the server, database, etc l Vulnerabilities due to using language/framework l Resulting from improper use of the language and framework l Vulnerabilities due to chained exploitation of RP/IdP l Resulting from situation where chained exploitation of RP/IdP is possible Resulting from implementation outside of specification
l Session poisoning resulting from improper session management l Vulnerabilities due to using server/database l LDAP injection resulting from improper handling of LDAP query l Vulnerabilities due to using language/framework l Incomplete redirect_uri validation resulting from improper use of Auto Binding l Vulnerabilities due to chained exploitation of RP/IdP l Valid authorization code theft by exploiting RP's XSS and IdP's authorization code consumption flaws Resulting from implementation outside of specification
2 : Customizability of scenarios Requirement1 : Fixed scenario Operation A Operation B Operation C Requirement2 : Operations can be disabled Requirement3 : Order of operations can be changed Variable A Requirement4 : Variables within operations can be specified Customizability required for detecting implementation-based vulns Operation A Operation B Operation C Operation B Operation A Operation C Operation A Operation B Operation C
Issue 3 : Reproducibility Simulate both victim and attacker operations OP 1 OP 2 OP 3 OP 1 OP 2 OP 3 Victim Attacker Manipulate multiple parameters in multiple requests
of scenarios Reproducibility OSBT[3] ◯ Spec-based vulns, implementation- based vulns ◯ Requirement 1,2,3,4 ◯ Automation Tool that allows you to programmatically write and execute test scenarios [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt
coverage, Customizability of scenarios Scenario 1 Scenario 2 Scenario 3 Existing tools Test scenarios are built into the tool Implementation-Based vulns cannot be tested New Scenario OSBT Can create customizable scenarios Scenario Description Function Implementation-Based vulns can be tested
Operations on the screen, expanding URLs, and acquiring page sources l HTTP request/response manipulation function l Data tampering, sending multiple parameters, interception, obtaining history l Attacker IdP operation function l Specifying returned ID tokens, IdP information, etc. l Attacker server operation function l Referring to logs to check the possibility of stealing authorization codes or tokens Developed based on scenario description requirements
User Attacker Expanding URLs Malicious URL Acquiring page sources Operation on the screen Addressing vulnerabilities that require phishing Automating browser operations during auth flow Used to judge test results
IdP Interception User Proxy server Addressing vulnerabilities due to inadequate parameter validation. Obtaining history Used to judge test results Used to interrupt the authentication flow Data tampering Sending multiple params
Attacker IdP User Specifying IdP information Addressing vulnerabilities due to inadequate IdP information validation Specifying token Addressing vulnerabilities due to inadequate token validation
for flaws in redirect_uri validation Setup Sending commands to tamper with the redirect_uri Execute the authentication flow Refer to the attacker server's log.
redirect_uri bypass via Auto Biding GET /consent ?response_type=code &scope=openid profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb Don’t validate redirect_uri Query params inherited via Auto Binding
?response_type=code &scope=openid profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb Authentication Request IdP RP User Tie the params to the user’s sesison Session cookie
?response_type=code &scope=openid profile email &client_id=attacker_client_id &state=af0ifjsldkj &redirect_uri=https://attacker.com Authentication Request IdP RP User Parameters tied to the session are updated Send this request at the same time Same Session cookie
Party (RP) ID Provider (IdP) Attacker 1. Phishing url 3. Authentication request GET /authorize Cookie: session=kA..sK … &client_id=honest &redirect_uri= https://rp.example.com 2. Open web site
Party (RP) ID Provider (IdP) Attacker 1. Phishing url 4. Authentication request GET /authorize Cookie: session=kA..sK … &client_id=attacker &redirect_uri= https://attacker.com 2. Open web site
Party (RP) ID Provider (IdP) Attacker 1. Phishing url 2. Open web site 5. Consent POST /consent Cookie: session=kA..sK … consent=“Yes” 6. Redirect to redirect_uri https://attacker.com? code=Splxl…xSbIA Authorization code leaked!!
l Unable to detect implementation-based vulnerabilities l Research Objective l Create a test tool that allows for highly customizable scenarios l OSBT l Enable the execution of scenarios created using the description function l DEMO l Can detects two implementation-based vulnerabilities l Available in Github Actions (CI) Summary
of web applications for Single Sign-On vulnerabilities." 23rd {USENIX} Security Symposium ({USENIX} Security 14). 2014. [2] Mainka, Christian, et al. "SoK: single sign-on security—an evaluation of openID connect." 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2017. [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt Image: https://flaticon.com/ References
.png){kind=small}
.png){kind=avatar}
.png){kind=avatar}
melonattacker
sakama
quiver
quramy
bkuhlmann
syumai
xhochy
sullis
yosuke_furukawa
takehilo
seike460
jakevdp
bermonpainter
sachag
philhawksworth
cassininazir
bcantrill
aki_iinuma
andyhume
eileencodes
robhawkes
lara
addyosmani
![41 Implementation (OSBT[3]) Tester (scenario) Attacker server Attacker IdP RP](https://files.speakerdeck.com/presentations/3f1d602b0bec4c3f9d070d6766627e70/slide_40.jpg){kind=link}
![52 [1] Zhou, Yuchen, and David Evans. "SSOScan: Automated testing](https://files.speakerdeck.com/presentations/3f1d602b0bec4c3f9d070d6766627e70/slide_51.jpg){kind=link}