Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OSBT: OpenID Connect Scenario-Based Tester – CODE BLUE 2023

yuasa
November 08, 2023

OSBT: OpenID Connect Scenario-Based Tester – CODE BLUE 2023

Presentation slides for the session "OSBT: OpenID Connect Scenario-Based Tester" in CODE BLUE 2023

yuasa

November 08, 2023
Tweet

More Decks by yuasa

Other Decks in Programming

Transcript

  1. OSBT:
    OpenID Connect
    Scenario-Based Tester
    Junki Yuasa
    Nara Institute of Science and Technology
    Laboratory for Cyber Resilience
    2023/11/08 CODE BLUE 2023 BlueBox Edition

    View full-size slide

  2. 2
    Junki Yuasa (湯浅 潤樹)
    Who am I ?
    l Nara Institute of Science and Technology
    l Student (M2)
    l Research on ID Federation Security
    l OAuth, OpenID Connect
    l SECCON Beginners CTF Writer
    X : @melonattacker

    View full-size slide

  3. 3
    Social login to reduce the burden of account management
    Spread of social login
    Normal Login
    Web app A
    Web app B
    Web app C
    Cred Cred
    Cred
    Cred
    Burden increace Burden decreace
    Social Login
    Web app A
    Web app B
    Web app C

    View full-size slide

  4. 4
    OIDC is a protocol for social login
    OpenID Connect(OIDC)
    User Relying Party
    (RP)
    ID Provider
    (IdP)
    2. ID Token
    Leave user authentication to an external service (IdP)
    1. Authentication
    Token containing
    user attribute
    information

    View full-size slide

  5. 5
    OIDC is based on the OAuth2.0 authorization protocol
    OpenID Connect(OIDC)
    Access Token
    Token that allows
    access to user
    resources
    Can also issue tokens that allow access to user resources
    User Relying Party
    (RP)
    ID Provider
    (IdP)

    View full-size slide

  6. 6
    OIDC Flow (Authorization code flow)
    RP IdP
    User
    Auth start

    View full-size slide

  7. 7
    OIDC Flow (Authorization code flow)
    Authentication Request
    GET /authorize
    ?response_type=code
    &scope=openid profile email
    &client_id=dkn9nE9…MPuifABrH
    &state=af0ifjsldkj
    &redirect_uri=https://rp.example.com/cb
    RP IdP
    User

    View full-size slide

  8. 8
    OIDC Flow (Authorization code flow)
    GET /authorize
    ?response_type=code
    &scope=openid profile email
    &client_id=dkn9nE9…MPuifABrH
    &state=af0ifjsldkj
    &redirect_uri=https://rp.example.com/cb
    URL to redirect
    RP IdP
    User
    Authentication Request

    View full-size slide

  9. 9
    OIDC Flow (Authorization code flow)
    Submit credential and consent
    RP IdP
    User

    View full-size slide

  10. 10
    OIDC Flow (Authorization code flow)
    Return authorization code
    302 Found
    Location:
    https://rp.example.com/cb
    ?code=SplxlOBeZQQYbYS6WxSbIA
    &state=af0ifjsldkj
    RP IdP
    User

    View full-size slide

  11. 11
    OIDC Flow (Authorization code flow)
    302 Found
    Location:
    https://rp.example.com/cb
    ?code=SplxlOBeZQQYbYS6WxSbIA
    &state=af0ifjsldkj
    URL to redirect
    RP IdP
    User
    Return authorization code

    View full-size slide

  12. 12
    OIDC Flow (Authorization code flow)
    302 Found
    Location:
    https://rp.example.com/cb
    ?code=SplxlOBeZQQYbYS6WxSbIA
    &state=af0ifjsldkj
    Authorization code
    RP IdP
    User
    Return authorization code

    View full-size slide

  13. 13
    OIDC Flow (Authorization code flow)
    Token request
    POST /token
    Host: idp.example.com
    Content-Type:
    application/x-www-from-urlencoded
    Authorization:
    Basic czZCaGRSa3…mQmF0M2JW
    grant_type=authorization_code
    &code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https://rp.example.com/cb
    RP IdP
    User

    View full-size slide

  14. 14
    OIDC Flow (Authorization code flow)
    POST /token
    Host: idp.example.com
    Content-Type:
    application/x-www-from-urlencoded
    Authorization:
    Basic czZCaGRSa3…mQmF0M2JW
    grant_type=authorization_code
    &code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https://rp.example.com/cb
    Authorization
    code
    RP IdP
    User
    Token request

    View full-size slide

  15. 15
    OIDC Flow (Authorization code flow)
    Token request
    POST /token
    Host: idp.example.com
    Content-Type:
    application/x-www-from-urlencoded
    Authorization:
    Basic czZCaGRSa3…mQmF0M2JW
    grant_type=authorization_code
    &code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https://rp.example.com/cb URL to redirect
    RP IdP
    User

    View full-size slide

  16. 16
    OIDC Flow (Authorization code flow)
    Token response
    {
    "access_token": "SlAV32hkKG",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": "eyJhb…KMzqg"
    }
    RP IdP
    User

    View full-size slide

  17. 17
    OIDC Flow (Authorization code flow)
    {
    "access_token": "SlAV32hkKG",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": "eyJhb…KMzqg"
    }
    RP IdP
    User
    Token response
    Access Token
    Used by the RP to acquire
    user resources

    View full-size slide

  18. 18
    OIDC Flow (Authorization code flow)
    {
    "access_token": "SlAV32hkKG",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": "eyJhb…KMzqg"
    }
    RP IdP
    User
    Token response
    ID Token
    Used for user
    authentication in the RP

    View full-size slide

  19. 19
    Vulnerability testing challenges for OIDC
    Vuln
    Vuln
    Vuln
    Vuln
    l Multiple entities interact
    l Potential vulnerabilities exist
    throughout the auth flow
    l Checking behavior during the
    auth flow operations is
    essential
    l Customizing scenarios flexibly
    is essential to address various
    vulnerabilities
    Vuln
    User RP IdP

    View full-size slide

  20. 20
    Vulnerability testing challenges for OIDC
    Vuln
    Vuln
    Vuln
    Vuln
    l Multiple entities interact
    l Potential vulnerabilities exist
    throughout the auth flow
    l Checking behavior during the
    auth flow operations is
    essential
    l Customizing scenarios flexibly
    is essential to address various
    vulnerabilities
    Vuln
    User RP IdP

    View full-size slide

  21. 21
    Vulnerability testing challenges for OIDC
    Vuln
    Vuln
    Vuln
    Vuln
    l Multiple entities interact
    l Potential vulnerabilities exist
    throughout the auth flow
    l Checking behavior during the
    auth flow operations is
    essential
    l Customizing scenarios flexibly
    is essential to address various
    vulnerabilities
    Vuln
    Research Objective :
    Create a test tool that allows for highly
    customizable scenarios
    User RP IdP

    View full-size slide

  22. 22
    Can address Spec-Based Vulns and Implementation-Based Vulns
    l Specification-Based vulnerability
    l Resulting from improper implementation of the specification
    l Indicated in specification’s Security Consideration
    l Implementation-Based vulnerability
    l Resulting from implementation outside of specification
    l Vulnerabilities registered as CVE, etc.
    Test Issue 1 : Test coverage

    View full-size slide

  23. 23
    Implementation-Based vulnerability
    l Vulnerabilities due to implementation method
    l Resulting from implementation methods such as unique protocol extensions
    and session management
    l Vulnerabilities due to using server/database
    l Resulting from improper use of the server, database, etc
    l Vulnerabilities due to using language/framework
    l Resulting from improper use of the language and framework
    l Vulnerabilities due to chained exploitation of RP/IdP
    l Resulting from situation where chained exploitation of RP/IdP is possible
    Resulting from implementation outside of specification

    View full-size slide

  24. 24
    Implementation-Based vulnerability (example)
    l Vulnerabilities due to implementation method
    l Session poisoning resulting from improper session management
    l Vulnerabilities due to using server/database
    l LDAP injection resulting from improper handling of LDAP query
    l Vulnerabilities due to using language/framework
    l Incomplete redirect_uri validation resulting from improper use of Auto Binding
    l Vulnerabilities due to chained exploitation of RP/IdP
    l Valid authorization code theft by exploiting RP's XSS and IdP's authorization
    code consumption flaws
    Resulting from implementation outside of specification

    View full-size slide

  25. 25
    Whether the requirements for customizability are met
    Test Issue 2 : Customizability of scenarios
    Requirement1 :
    Fixed scenario
    Operation A
    Operation B
    Operation C
    Requirement2 :
    Operations can
    be disabled
    Requirement3 :
    Order of
    operations can
    be changed
    Variable A
    Requirement4 :
    Variables within
    operations can be
    specified
    Customizability required for detecting implementation-based vulns
    Operation A
    Operation B
    Operation C
    Operation B
    Operation A
    Operation C
    Operation A
    Operation B
    Operation C

    View full-size slide

  26. 26
    Manual testing is useful but difficult to reproduce
    Test Issue 3 : Reproducibility
    Simulate both victim
    and attacker operations
    OP 1
    OP 2
    OP 3
    OP 1
    OP 2
    OP 3
    Victim
    Attacker
    Manipulate multiple parameters
    in multiple requests

    View full-size slide

  27. 27
    Three issues are not adequately resolved
    Existing test tools and manual verification
    [1] Zhou, Yuchen, and David Evans. "SSOScan: Automated testing of web applications for Single Sign-On
    vulnerabilities." 23rd {USENIX} Security Symposium ({USENIX} Security 14). 2014.
    [2] Mainka, Christian, et al. "SoK: single sign-on security—an evaluation of openID connect." 2017 IEEE European
    Symposium on Security and Privacy (EuroS&P). IEEE, 2017.
    Tool Test Coverage
    Customizability of
    scenarios
    Reproducibility
    SSOScan[1]

    Only spec-based
    vulns (5)

    Requirement 1

    Automation
    PrOfESSOS[2]

    Only spec-based
    vulns (11)

    Requirement 1,2

    Automation
    Manual
    Testing

    Spec-based vulns,
    impl-based vulns

    Requirement 1,2,3,4

    Manual

    View full-size slide

  28. 28
    OSBT: OpenID Connect Scenario-Based Tester
    Tool Test Coverage
    Customizability
    of scenarios
    Reproducibility
    OSBT[3]

    Spec-based vulns,
    implementation-
    based vulns

    Requirement
    1,2,3,4

    Automation
    Tool that allows you to programmatically write and
    execute test scenarios
    [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt

    View full-size slide

  29. 29
    Implementation-Based vulnerability can also be tested
    OSBT : Test coverage, Customizability of scenarios
    Scenario 1
    Scenario 2
    Scenario 3
    Existing tools
    Test scenarios
    are built into the tool
    Implementation-Based vulns
    cannot be tested
    New Scenario
    OSBT
    Can create
    customizable scenarios
    Scenario Description
    Function
    Implementation-Based vulns
    can be tested

    View full-size slide

  30. 30
    Reproduce operations equivalent to manual testing
    OSBT : Reproducibility
    OSBT
    Write procedure in code
    Reproducibility is ensured
    Manual Testing
    Procedure is complicated
    Difficult to ensure reproducibility

    View full-size slide

  31. 31
    Test scenario description function
    l Browser operation function
    l Operations on the screen, expanding URLs, and acquiring page sources
    l HTTP request/response manipulation function
    l Data tampering, sending multiple parameters, interception, obtaining history
    l Attacker IdP operation function
    l Specifying returned ID tokens, IdP information, etc.
    l Attacker server operation function
    l Referring to logs to check the possibility of stealing authorization codes or tokens
    Developed based on scenario description requirements

    View full-size slide

  32. 32
    Test scenario description function : Browser operation
    RP IdP
    User
    Attacker
    Expanding URLs
    Malicious URL
    Acquiring page
    sources
    Operation on the screen
    Addressing vulnerabilities
    that require phishing
    Automating browser
    operations during auth flow
    Used to judge
    test results

    View full-size slide

  33. 33
    Test scenario description function : HTTP request/response manipulation
    RP IdP
    Interception
    User Proxy server
    Addressing vulnerabilities due to
    inadequate parameter validation.
    Obtaining
    history
    Used to judge
    test results
    Used to interrupt the
    authentication flow
    Data tampering
    Sending
    multiple params

    View full-size slide

  34. 34
    Test scenario description function : Attacker IdP operation
    RP Attacker IdP
    User
    Specifying IdP
    information
    Addressing vulnerabilities due to
    inadequate IdP information validation
    Specifying
    token
    Addressing vulnerabilities due to
    inadequate token validation

    View full-size slide

  35. 35
    Test scenario description function : Attacker server operation
    RP IdP
    User
    Attacker server
    Referring to
    logs
    token
    Authorization
    code
    Checking the possibility of stealing
    authorization codes or tokens

    View full-size slide

  36. 36
    Architecture
    Tester
    (scenario)
    Attacker server Attacker IdP
    RP IdP
    Test target
    Proxy server

    View full-size slide

  37. 37
    The flow of scenario execution
    A scenario to test for flaws in redirect_uri validation
    Setup
    Sending commands
    to tamper with the
    redirect_uri
    Execute the
    authentication flow
    Refer to the
    attacker server's log.

    View full-size slide

  38. 38
    The flow of scenario execution
    Tester
    (scenario)
    Attacker server Attacker IdP
    RP IdP
    Test target
    Proxy server
    Data tampering
    Tamper with the value of
    redirect_uri to the attacker
    server's URL

    View full-size slide

  39. 39
    The flow of scenario execution
    Tester
    (scenario)
    Attacker server Attacker IdP
    RP IdP
    Test target
    Proxy server
    Operation on the screen
    Entering creds during the
    execution of the
    authentication flow

    View full-size slide

  40. 40
    The flow of scenario execution
    Tester
    (scenario)
    Attacker server Attacker IdP
    RP IdP
    Test target
    Proxy server
    Referring to
    logs
    Checking the possibility of stealing
    the authorization code

    View full-size slide

  41. 41
    Implementation (OSBT[3])
    Tester
    (scenario)
    Attacker server Attacker IdP
    RP IdP
    Test target
    Proxy server
    [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt
    Vulns

    View full-size slide

  42. 42
    DEMO : redirect_uri bypass via Auto Biding
    GET /authorize
    ?response_type=code
    &scope=openid profile email
    &client_id=dkn9nE9…MPuifABrH
    &state=af0ifjsldkj
    &redirect_uri=https://rp.example.com/cb
    Authentication Request
    IdP
    RP
    User
    Validate redirect_uri
    URL to redirect

    View full-size slide

  43. 43
    Submit credential and consent
    RP IdP
    User
    DEMO : redirect_uri bypass via Auto Biding
    GET /consent
    ?response_type=code
    &scope=openid profile email
    &client_id=dkn9nE9…MPuifABrH
    &state=af0ifjsldkj
    &redirect_uri=https://rp.example.com/cb
    Don’t validate
    redirect_uri
    Query params inherited
    via Auto Binding

    View full-size slide

  44. 44
    DEMO : redirect_uri bypass via Auto Biding (Attack Step)
    User
    Relying Party
    (RP)
    ID Provider
    (IdP)
    Attacker
    1. Phishing url
    2. Consent
    GET /consent

    &redirect_uri=
    https://attacker.com
    3. Redirect to redirect_uri
    https://attacker.com?
    code=Splxl…xSbIA
    Authorization code leaked!!

    View full-size slide

  45. 45
    DEMO : redirect_uri session poisoning
    GET /authorize
    Cookie: session=kAKJnsier7EAR8jsK
    ?response_type=code
    &scope=openid profile email
    &client_id=dkn9nE9…MPuifABrH
    &state=af0ifjsldkj
    &redirect_uri=https://rp.example.com/cb
    Authentication Request
    IdP
    RP
    User
    Tie the params
    to the user’s sesison
    Session cookie

    View full-size slide

  46. 46
    DEMO : redirect_uri session poisoning
    GET /authorize
    Cookie: session=kAKJnsier7EAR8jsK
    ?response_type=code
    &scope=openid profile email
    &client_id=attacker_client_id
    &state=af0ifjsldkj
    &redirect_uri=https://attacker.com
    Authentication Request
    IdP
    RP
    User
    Parameters tied to the
    session are updated
    Send this request at the same time
    Same Session cookie

    View full-size slide

  47. 47
    DEMO : redirect_uri session poisoning (Attack Step)
    User
    Relying Party
    (RP)
    ID Provider
    (IdP)
    Attacker
    1. Phishing url
    3. Authentication request
    GET /authorize
    Cookie: session=kA..sK

    &client_id=honest
    &redirect_uri=
    https://rp.example.com
    2. Open web
    site

    View full-size slide

  48. 48
    DEMO : redirect_uri session poisoning (Attack Step)
    User
    Relying Party
    (RP)
    ID Provider
    (IdP)
    Attacker
    1. Phishing url
    4. Authentication request
    GET /authorize
    Cookie: session=kA..sK

    &client_id=attacker
    &redirect_uri=
    https://attacker.com
    2. Open web
    site

    View full-size slide

  49. 49
    DEMO : redirect_uri session poisoning (Attack Step)
    User
    Relying Party
    (RP)
    ID Provider
    (IdP)
    Attacker
    1. Phishing url
    2. Open web
    site
    5. Consent
    POST /consent
    Cookie: session=kA..sK

    consent=“Yes”
    6. Redirect to redirect_uri
    https://attacker.com?
    code=Splxl…xSbIA
    Authorization code leaked!!

    View full-size slide

  50. 50
    DEMO : Github Actions (CI)
    Run tests on github actions Test report is created on issue

    View full-size slide

  51. 51
    l Challenge
    l Existing test tools lack scenario customizability
    l Unable to detect implementation-based vulnerabilities
    l Research Objective
    l Create a test tool that allows for highly customizable scenarios
    l OSBT
    l Enable the execution of scenarios created using the description function
    l DEMO
    l Can detects two implementation-based vulnerabilities
    l Available in Github Actions (CI)
    Summary

    View full-size slide

  52. 52
    [1] Zhou, Yuchen, and David Evans. "SSOScan: Automated testing of web applications for
    Single Sign-On vulnerabilities." 23rd {USENIX} Security Symposium ({USENIX} Security 14).
    2014.
    [2] Mainka, Christian, et al. "SoK: single sign-on security—an evaluation of openID connect."
    2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2017.
    [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt
    Image: https://flaticon.com/
    References

    View full-size slide