O H! H! Auth th Implementation pitfalls & the auth providers - - PowerPoint PPT Presentation

o h h auth th
SMART_READER_LITE
LIVE PREVIEW

O H! H! Auth th Implementation pitfalls & the auth providers - - PowerPoint PPT Presentation

Oct 30, 2022 139 likes •731 views

H! H! O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it @samitanwer1 samit.anwer@gmail.com C: C:\>whoami Samit Anwer Product Security Team @Citrix Web/Mobile App Security Enthusiast

slide-1
SLIDE 1

OH! H! Auth th

Implementation pitfalls & the auth providers who have fell in it

H! H!

@samitanwer1 samit.anwer@gmail.com

slide-2
SLIDE 2

C: C:\>whoami

  • Samit Anwer
  • Product Security Team @Citrix
  • Web/Mobile App Security Enthusiast
  • Spoken @:
  • SecurityFest (Gothenburg, Sweden) 2019,
  • DEFCON China (Beijing) 2018,
  • BlackHat Asia (Singapore) 2018,
  • AppSec USA (Orlando, USA) 2017,
  • CodeBlue (Tokyo, Japan) 2017
slide-3
SLIDE 3

Agenda

  • OAuth – What and Why?
  • Access & Identity tokens
  • OAuth Grant Types
  • OAuth flow for Native (Mobile) Apps
  • Attacks & Mitigations –

1. Authorization code interception attack 2. CSRF 3. Client open redirects 4. Phishing using user’s trust in AS 5. Mix-up attack

  • Q/A
slide-4
SLIDE 4

Disclaimer

  • Ideas presented are personal
  • Some content borrowed from
  • Brian David Campbell’s slides on “OAuth 2.0 and

Mobile Devices”,

  • Auth0 &
  • the RFC documents
  • Don’t kill me for my humour!
  • I am a Marvel fan! Expect some references to

‘Avengers: Infinity War’

Disclaimer

  • Ideas presented are personal
  • Some content borrowed from
  • Brian David Campbell’s slides on “OAuth 2.0 and

Mobile Devices”,

  • Auth0 & the RFC documents
  • I am a Marvel fan! Expect some references to

‘Avengers: Infinity War’

slide-5
SLIDE 5

Why OAuth?

LinkedIn wants to fetch your contacts from Gmail.

Why OAuth?

LinkedIn asks your Gmail password

slide-6
SLIDE 6

What problems do you observe with this approach?

Knowledge of your Gmail password allows LinkedIn to do everything Access can’t be revoked from LinkedIn without revoking access from all other 3rd parties LinkedIn would be required to store your Gmail credentials Google will be required to support password based authentication

slide-7
SLIDE 7

Enter OAuth Why OAuth?

Protocol for delegating authorization supported by web, desktop and native apps 1. Scope of access granted to a 3rd party can be constrained 2. Access granted to a specific 3rd party is revocable 3. Avoids sharing of creds with 3rd party 4. Foundation for an authentication protocol

Knowledge of your Gmail password allows LinkedIn to do everything Access can’t be revoked from LinkedIn without revoking access from all other 3rd parties LinkedIn would be required to store your Gmail credentials Google will be required to support password based authentication

slide-8
SLIDE 8

Actors

  • Resource Owner: entity that can grant access to a protected resource,

e.g. End-User

  • Client/Application/Relying Party (RP): application requesting access

to a protected resource on behalf of the Resource Owner, e.g. LinkedIn

  • Resource Server: the server hosting the protected resources,

e.g. Gmail

  • Authorization Server: the server that authenticates the Resource

Owner & issues Access Tokens after getting proper authorization, e.g. Google

  • User Agent: the agent used by the Resource Owner to interact with

the application, e.g. browser

slide-9
SLIDE 9

Before we begin….

  • You must register the client/application/RP with the auth/identity

service

  • Client ID is public info and is used to build login URLs
  • Client Secret must be kept confidential
  • If a deployed app cannot keep the secret confidential (like SPA,

native app) then the secret is not used

Client Registration

App name, website, logo & a redirect URI Client ID & Client Secret

Client AS

  • 1. Generates

Client ID & Client Secret

  • 2. Stores

Client ID, redirect URI mapping

slide-10
SLIDE 10

OAuth in a nutshell

  • 1. Initiate

Authorization Request

  • 3. Authorization Code

to client’s redirect URI

  • 2. User

Authorizes

  • 4. Request Token
  • 5. Access Token to client’s redirect URI
  • 6. Request resource with

Token Stack Exchange (Client/Application/RP) Google (AS) RS /token /authorize End-user

  • 1. Initiate

Authorization request

slide-11
SLIDE 11

Open ID Connect

  • 1. Initiate

Authorization request

  • 1. Initiate

Authorization Request

  • 3. Authorization Code

to client’s redirect URI

  • 2. User

Authorizes

  • 4. Request Token
  • 5. Access & ID Token to client’s redirect URI

Stack Exchange (Client/Application/RP) Google (AS) /token /authorize End-user

slide-12
SLIDE 12

Access Token

Is typically opaque (a.k.a. bearer token) It conveys authorization It is consumed by the resource server A sample ID token (JWT) payload The ID Token is a JWT It conveys authentication status & user identity info. like the user's name, email, etc. It is consumed by the client for UI display

Identity Token

eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXki LCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyYzNkYzZmNTNlNTI0N mQzYWZhNDIwZDgyMTg5YTk2YyIsInN1YiI6IjlhYzJkNzA 0LTI1NDAtNDlkNi05ZjJlLTQ4ZThlYWIyODE4MCIsInNjb3 BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJvYXV0aF9za G93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJjaWQi OiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2Nv ZGUiLCJhenAiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3Jpem F0aW9uX2NvZGUiLCJncmFudF90eXBlIjoiYXV0aG9yaXp hdGlvbl9jb2RlIiwidXNlcl9pZCI6IjlhYzJkNzA0LTI1NDAtND lkNi05ZjJlLTQ4ZThlYWIyODE4MCIsIm9yaWdpbiI6InVhY SIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJlbWFpbCI6Im1hc mlzc2FAdGVzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4N DY3NjIsInJldl9zaWciOiJiZTU0OTFkYyIsImlhdCI6MTQ2OT g0Njg3NiwiZXhwIjoxNDY5ODkwMDZSJdfQ.1AXtzNGdW XL77i7TqeZOYfMbP4CT8pMnqBihmvg8woY.eyJqdGkiOi IyYzNkYzZmNTNlNTI0NmQzYWZhNDIwZDgyMTg5YTk2Y yIsInNSI6Im1hcmlzc2EiLCJlbWFpbCI6Im1hcmlzc2FAdG VzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4NDY3NjIsInJld l9zaWciOiJiZTU0OTFkYyIsImlhdCI6MTQ2OTg0Njg3Niwi ZXhwIjoxNDY5ODkwMDc2LCJpc3MiOiJodHRwOi8vbG9j YWxob3N0

A sample access token

slide-13
SLIDE 13

OAuth Grants Types

Authorization Code Grant Implicit Grant Resource Owner Password Credential Grant Client Credentials Grant

slide-14
SLIDE 14

The Real Actors

Resource Owner Client/Application/Relying Party Resource Server Authorization Server Has Wants Supervises access to

slide-15
SLIDE 15
  • 1. Authorization Code Grant

Resource Owner Client / Application / RP Authorization Server Resource Server Access Resource Give me approval Authenticate & Grant Authorization Send Authorization Code Exchange code with client credentials for token Send Token Access protected resource (with token) Send resource Unauthorized /authorize /token

slide-16
SLIDE 16

Authorization Code Grant (ACG)

Au Auth thorization Tok

  • ken Ex

Exch change

Ref: https://aaronparecki.com/oauth-2-simplified/ Request Response Request Response

Provides the ability to authenticate the client Transmission of access token to client without passing it through Browser

Advantages of ACG

slide-17
SLIDE 17

Send Authorization Code Give me approval

  • 2. Implicit Grant

Resource Owner Client/ Application/ RP Authorization Server Resource Server Authenticate & Grant Authorization Exchange code with client credentials for token Send Token Access protected resource (with token) Send resource Access Resource Unauthorized /authorize /token /authorize

slide-18
SLIDE 18

Implicit Grant

Au Auth thorization

Ref: https://aaronparecki.com/oauth-2-simplified/ Request Response

No client authentication Access token can end up in Browser history

Disadvantages of Implicit Grant

Access token leakage through Referrer header

slide-19
SLIDE 19

OAuth for Mobile clients/ Native apps (RFC-8252)

  • 5. Protected APIs invoked using the access token
  • 4. The auth. code is traded for access token & refresh token
  • 3. Server returns control to the app & includes an auth. code
  • 2. End-user authenticates & approves the requested access
  • 1. Client initiates authorization request
slide-20
SLIDE 20
  • 1. Request

Authorization

  • When user needs to access

some protected resource, client opens a browser and sends user to the authorization endpoint

Google Stack Exchange

slide-21
SLIDE 21
  • 2. Authenticate and

Approve

  • The AS authenticates the

user

Google Stack Exchange

slide-22
SLIDE 22

Approve

  • User approves the request

Stack Exchange

Google

slide-23
SLIDE 23
  • 3. Handle Callback
  • Server returns control to the

app via HTTP redirection and includes an authorization code

Google Stack Exchange

Custom URI Scheme

slide-24
SLIDE 24
  • 3. Handle Callback
  • Registering a custom URI

scheme

Google

Stack Exchange

slide-25
SLIDE 25
  • 4. Trade code for

token

  • Token Endpoint Request
  • Token Endpoint Response
slide-26
SLIDE 26
  • 5. Using an access

token

  • Once an access token is
  • btained, it can be used to

authorize calls to the protected resources at the RS by including it in HTTP Authorization header

slide-27
SLIDE 27

Agenda – What have we covered?

  • OAuth – What and Why?
  • Access & Identity tokens
  • OAuth Grant Types
  • OAuth with Native (Mobile) Apps
  • Attacks & Mitigations –

1. Authorization code interception attack 2. CSRF 3. Client open redirects 4. Phishing using user’s trust in AS 5. Mix-up attack

  • Q/A
slide-28
SLIDE 28
  • 1. Authorization code

intercept attack on mobile clients/native apps

Attacks & Mit itigations

slide-29
SLIDE 29

Authorization code intercept attack

Preconditions

  • "client_secret" is not provisioned
  • Attacker manages to install malicious app on

device

  • Attacker manages to register the same custom

URI scheme used by legitimate app

  • Img. Ref.: RFC-7636
slide-30
SLIDE 30

Mitigation

  • Avoid Custom URI Scheme Redirection

There is no naming authority

  • Use Claimed HTTPs Scheme URI Redirection

The identity of the destination app is guaranteed by the OS to the authorization server

  • 1. Handle redirections carefully
slide-31
SLIDE 31
  • 2. Use Proof Key for Code Exchange (PKCE) with apps that use custom URI

scheme

where: t(code_verifier) = code challenge t_m = code challenge method

RFC-7636

Malicious Client

Generate code_verifier

Mitigation (continued)

Code Challenge <= t(code_verifier) (CC) Is CC = t(code_verifier)?

Store

slide-32
SLIDE 32

Demo: Faulty PKCE implementation

  • n Microsoft IdP
slide-33
SLIDE 33

Demo: Faulty PKCE implementation on Microsoft IdP

slide-34
SLIDE 34

RFC-8252 says PKCE MUST be supported by client and AS

Why you no PKCE?

slide-35
SLIDE 35
  • 2. CSRF
slide-36
SLIDE 36
  • 2. CSRF
  • Attacker attempts to inject request to

the redirect URI of the legitimate client

  • causing the client to access resources

under the attacker's control

Mitigation

  • One-time use CSRF token by client

Validate if the CSRF token in the "state" parameter

  • f authorization request matches the one returned in

the authorization response

  • 2. Visits https://attacker.com
  • 1. Publishes malicious

website

  • 3. Redirect to

https://client_redirect_url/as?code=attacker_auth_code

  • 4. POST https://auth_srvr/token

{auth_code= attacker_auth_code}

  • 6. Fetch attacker’s resource
  • 5. Attacker’s access token

Malicious Website Forged Authorization response

Authorization Request Response

Client AS RS

Client thinks it is accessing end- user resources but in reality it is accessing attacker’s resources

End-user

slide-37
SLIDE 37
  • 3. Client Open Redirects
slide-38
SLIDE 38

URL decoded value of “redirect_uri” is: https://client.somesite.example/cb?redirect_to%3 Dhttps%3A%2F%2Fclient.evil.example.%2Fcb

Assumption for client

  • Client uses implicit grant
  • Redirect URL pattern registered by client is -

https://client.somesite.example/cb?*

  • Client exposes open redirect. Above endpoint supports a “redirect_to”

parameter

https://client.somesite.example/cb?redirect_to=example.com

  • 2. Visits https://www.evil.example
  • 1. Publishes malicious

website

  • 3. Initiates Authorization Request

https://client.somesite.example https://server.somesite.example

  • 4. Issues a 303 redirect

https://www.evil.example

  • 5. Client redirector issues an

HTTP 303 Location header redirect

Access token leak

Does “redirect_uri” match with pattern? Pattern:https://client.somesite.example/cb?*

YES! Match

/cb?redirect_to=https://client.evil.example/cb Request arrives at the redirector

slide-39
SLIDE 39

Mitigation

  • Clients MUST not expose open redirectors

Thanos (“Client”) left open redirects!

slide-40
SLIDE 40
  • 4. Phishing using user’s

trust in Auth Server

slide-41
SLIDE 41

Phishing using user’s trust in AS

  • The attacker:
  • Performs a client registration with redirect URI as https://attacker.com
  • Prepares a forged URI like
  • Have the victim click the forged URI
  • The victim is redirected to https://attacker.com
slide-42
SLIDE 42

Mitigation

  • AS needs to take a call whether to redirect or

not

  • AS MAY inform user that it is about to redirect

to another site

slide-43
SLIDE 43
  • 5. Mix Up
slide-44
SLIDE 44

Mix Up

  • An attack applicable in scenarios where client

interacts with multiple Auth Servers (AS)

  • One of the AS turns malicious
  • Malicious AS tricks client to obtain auth code or

access token (generated by other AS)

Preconditions

  • Client uses same redirect URI for all AS
slide-45
SLIDE 45

Mix-Up attack:

Assume that user wants to start the grant using FB’s AS

  • After client redirects user to the authorization endpoint at FB’s AS, the attacker

immediately redirects the user to Google’s AS

  • Now, the user authorizes the client to access her resources at Google’s AS. Google’s

AS issues a code and sends it (via the browser) back to the client

  • The client will try to redeem the code at FB’s AS token endpoint
  • The attacker therefore obtains code

Assume that client registered with

  • Google’s AS
  • FB’s AS (malicious)
slide-46
SLIDE 46
  • 1. Initiate

Authorization request

  • 1. Initiate

Authorization Request to FB AS

  • 4. Authorization

Code

  • 3. User

Authorizes

  • 8. Request

victim’s Google resources with token

FB’s AS (malicious) Google’s AS LinkedIn FB_RS G_RS

  • 2. Redirect to

Google’s auth page

  • 5. Redeem authorization code at

FB’s token endpoint

End-user LinkedIn 4. Authorization

Code

slide-47
SLIDE 47

Mitigation

  • Clients should

Use AS-specific redirect URIs like https://client.com/google_redirect_uri https://client.com/fb_redirect_uri Store the intended AS for each auth request & compare intended AS with actual redirect URI where auth response was received

https://client.com/ google_redirect_uri

Mitigation

slide-48
SLIDE 48

Summary

  • OAuth is used for delegating resource access to a 3rd party app
  • Access & Identity tokens are used to prove authorization & authentication respectively
  • Use ACG for web app clients & ACG with PKCE for mobile clients
  • OAuth for Native (Mobile) Apps
  • Discussed some attacks:

1. Authorization code interception attack 2. CSRF 3. Client open redirects 4. Phishing using user’s trust in AS 5. Mix-up attack

slide-49
SLIDE 49

References – Things we do for security

  • Diagrams of All The OpenID Connect Flows

https://medium.com/@darutk/diagrams-of-all-the-

  • penid-connect-flows-6968e3990660
  • OAuth 2 Simplified https://aaronparecki.com/oauth-2-

simplified

  • Auth0 docs https://auth0.com/
  • OAuth 2.0 and Mobile Devices: Is that a token in your

phone in your pocket or are you just glad to see me? http://www.slideshare.net/briandavidcampbell/is- that-a-token-in-your-phone-in-your-pocket-or-are-you- just-glad-to-see-me-oauth-20-and-mobile-devices

  • OpenID Connect Core 1.0 incorporating errata set 1

https://openid.net/specs/

  • IETF docs https://tools.ietf.org/html
  • JWT, https://tools.ietf.org/html/rfc7519
  • JSON Web Key, https://tools.ietf.org/html/rfc7517
  • JSON Web Signature (JWS),

https://tools.ietf.org/html/rfc7515

  • JSON Web Encryption (JWE),

https://tools.ietf.org/html/rfc7516

  • JSON Web Algorithms (JWA),

https://tools.ietf.org/html/rfc7518

  • The OAuth 2.0 Authorization Framework

https://tools.ietf.org/html/rfc6749

  • Proof Key for Code Exchange by Oauth, Public

Clients, https://tools.ietf.org/html/rfc7636

  • OAuth 2.0 for Native Apps,

https://tools.ietf.org/html/rfc8252

  • Threat Model and Security Considerations,

https://tools.ietf.org/html/rfc6819

  • OAuth 2.0 Security Best Current Practice

https://tools.ietf.org/html/draft-ietf-oauth- security-topics-12

  • Oauth 2.0 Token Binding

https://tools.ietf.org/html/draft-ietf-oauth- token-binding-08

  • OAuth 2.0 Form Post Response Mode

https://openid.net/specs/oauth-v2-form-post- response-mode-1_0.html

slide-50
SLIDE 50

References – Things we do for security

  • Diagrams of All The OpenID Connect Flows

https://medium.com/@darutk/diagrams-of-all-the-

  • penid-connect-flows-6968e3990660
  • OAuth 2 Simplified https://aaronparecki.com/oauth-2-

simplified

  • Auth0 docs https://auth0.com/
  • OAuth 2.0 and Mobile Devices: Is that a token in your

phone in your pocket or are you just glad to see me? http://www.slideshare.net/briandavidcampbell/is- that-a-token-in-your-phone-in-your-pocket-or-are-you- just-glad-to-see-me-oauth-20-and-mobile-devices

  • OpenID Connect Core 1.0 incorporating errata set 1

https://openid.net/specs/

  • IETF docs https://tools.ietf.org/html
  • JWT, https://tools.ietf.org/html/rfc7519
  • JSON Web Key, https://tools.ietf.org/html/rfc7517
  • JSON Web Signature (JWS),

https://tools.ietf.org/html/rfc7515

  • JSON Web Encryption (JWE),

https://tools.ietf.org/html/rfc7516

  • JSON Web Algorithms (JWA),

https://tools.ietf.org/html/rfc7518

  • The OAuth 2.0 Authorization Framework

https://tools.ietf.org/html/rfc6749

  • Proof Key for Code Exchange by Oauth, Public

Clients, https://tools.ietf.org/html/rfc7636

  • OAuth 2.0 for Native Apps,

https://tools.ietf.org/html/rfc8252

  • Threat Model and Security Considerations,

https://tools.ietf.org/html/rfc6819

  • OAuth 2.0 Security Best Current Practice

https://tools.ietf.org/html/draft-ietf-oauth- security-topics-12

  • Oauth 2.0 Token Binding

https://tools.ietf.org/html/draft-ietf-oauth- token-binding-08

  • OAuth 2.0 Form Post Response Mode

https://openid.net/specs/oauth-v2-form-post- response-mode-1_0.html

slide-51
SLIDE 51

Get in touch!

  • e-mail: samit.anwer@gmail.com,
  • Twitter: @samitanwer1,
  • LinkedIn: https://www.linkedin.com/in/samit-anwer-ba47a85b/

Questions? Grazie!

slide-52
SLIDE 52
slide-53
SLIDE 53
slide-54
SLIDE 54
slide-55
SLIDE 55

Scopes

  • Used by client during authorization request to

get access to a set of user attributes which are called claims, e.g. email, profile, etc.

  • The authorization decision emerges from

combining the scope Mail.Read , the user identifier & the entity requested

Ref: https://auth0.com/blog/on-the-nature-of-oauth2-scopes/

Authorization Decision

  • Scopes allow clients to request delegated access to end-

user’s Resource e.g. Scope- Mail.Read

slide-56
SLIDE 56
  • Client website links Google Drive so that it

can display user’s Google Drive resources

  • Client may have a URL like
  • This URL redirects user to Google’s auth.

page & after user signs-in redirects the authorization code to attacker.com

b) Auth code leak

https://client.com/googledrive/Login.aspx? redirect_url=https%3A%2F%2Fattacker.com

Client.com

Client.com

slide-57
SLIDE 57

Benefits of authorization code

The auth code provides the ability to authenticate the client Transmission of the access token directly to the client without passing it through the resource owner's user-agent

slide-58
SLIDE 58

JWT (JSON Web Tokens)

  • JWTs are self-contained
  • They can be signed

A JWT’s format is “1. Header . 2. Payload . 3. Signature”

  • 1. Header contains the type of token & the hash algorithm used
  • n the contents of the token
  • 2. The payload contains identity claims about a user.

Claims are statements (name or email address) about an entity (typically, the user) and metadata

  • 3. The signature is used by the recipient of a JWT to validate the

integrity

RFC-7636, RFC-7515, RFC-7516