New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
initial draft #2
Open
elf-pavlik
wants to merge
4
commits into
solid:main
Choose a base branch
from
elf-pavlik:initial
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
*.html | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"Community.Solid.Server": { | ||
"authors": [ | ||
"Joachim Van Herwegen" | ||
], | ||
"href": "https://communitysolidserver.github.io/", | ||
"title": "Community Solid Server" | ||
}, | ||
"SolidOS": { | ||
"authors": [ | ||
"Timea Turdean" | ||
], | ||
"href": "https://solidos.solidcommunity.net/", | ||
"title": "SolidOS" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
<pre class='metadata'> | ||
Title: Solid Security Best Current Practice | ||
Boilerplate: issues-index no | ||
Boilerplate: omit conformance | ||
Local Boilerplate: logo yes | ||
Shortname: solid-best-security-practice | ||
Level: 1 | ||
Status: w3c/CG-DRAFT | ||
Group: Solid Community Group | ||
Favicon: https://solidproject.org/TR/solid.svg | ||
ED: https://solid.github.io/specification/security-best-practice | ||
TR: https://solidproject.org/TR/security-best-practice | ||
!Created: Feb 20, 2024 | ||
!Modified: [DATE] | ||
!Editor's Draft: [https://solid.github.io/specification/security-best-practice](https://solid.github.io/specification/security-best-practice) | ||
Repository: https://github.com/solid/security-best-practice | ||
Inline Github Issues: title | ||
Markup Shorthands: markdown yes | ||
Max ToC Depth: 2 | ||
Editor: [elf Pavlik](https://elf-pavlik.hackers4peace.net/) | ||
Metadata Order: This version, Latest published version, Editor's Draft, Test Suite, Created, Modified, *, !* | ||
Metadata Include: Editor's Draft off | ||
Abstract: | ||
This document describes best current security practice for Solid. | ||
Status Text: | ||
This section describes the status of this document at the time of its publication. | ||
|
||
This document was published by the [Solid Community Group](https://www.w3.org/community/solid/) as | ||
an Editor’s Draft. The information in this document is | ||
still subject to change. You are invited to [contribute](https://github.com/solid/solid-oidc/issues) | ||
any feedback, comments, or questions you might have. | ||
|
||
Publication as an Editor’s Draft does not imply endorsement by the W3C Membership. This is a draft | ||
document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate | ||
to cite this document as other than work in progress. | ||
|
||
This document was produced by a group operating under the [W3C Community Contributor License Agreement | ||
(CLA)](https://www.w3.org/community/about/process/cla/). A human-readable | ||
[summary](https://www.w3.org/community/about/process/cla-deed/) is available. | ||
</pre> | ||
|
||
# Attacks and Mitigations # {#attacks-and-mitigations} | ||
|
||
## Serving user-created files ## {#serving-user-created-files} | ||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
When Solid Servers serve files created by different users, they break the common Web assumption that files and/or applications served within the same origin are automatically equally trustworthy. | ||
|
||
An attacker could be any agent — human, browser, browser-based application, | ||
etc. — with a WebID. They need append/write access to the user's server | ||
to store a malicious HTML file. They might have this access because the | ||
user had allowed them to write a blog post, or because they have their own | ||
storage in a different path on the same domain, among other possibilities. | ||
|
||
Impact of the scenario: The attacker, pretending to be the victim, can access anything | ||
that the victim's account can access. | ||
|
||
|
||
### Use Solid-OIDC DPoP-bound ID tokens to make authenticated requests | ||
|
||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||
If a user is logged in to an application hosted on the Solid server, a | ||
malicious application on the same Solid server could abuse this login to | ||
make authenticated requests. Here we use [[SolidOS]] as an example of a | ||
benign application. | ||
|
||
#### Prerequisites | ||
|
||
* The attacker has append/write access to a publicly readable folder/file on the server. | ||
* The server serves [[SolidOS]] under the same domain (e.g., by default, [[Community.Solid.Server]] serves everything under the same domain). | ||
* Once the victim is logged in via [[SolidOS]], any new session is automatically logged in to the same account. | ||
|
||
#### Attack | ||
|
||
The attacker writes a malicious `text/html` file to the server. When this file is opened by the user: | ||
|
||
1. It opens [[SolidOS]] in a new tab and saves the window reference. (If the writer of this document recalls correctly, opening any non-existent resource from the server returns [[SolidOS]].) | ||
1. [[SolidOS]] automatically logs in, as the user who logged in there previously. | ||
1. The `text/html` file can access [[SolidOS]] via the window reference, including performing authenticated fetch. | ||
1. The `text/html` file can make any request in the name of the currently logged-in user, through this authenticated fetch. | ||
|
||
|
||
### Steal login credentials | ||
|
||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||
If a user saves credentials for an application on the same site as the Solid server, a malicious application could steal these credentials. | ||
|
||
#### Prerequisites | ||
|
||
* The attacker has append/write access to a publicly readable folder/file on the server. | ||
* The victim uses the IDP of the (small) [[Community.Solid.Server]] server. | ||
* The storages are on the same domain as the IDP (default for [[Community.Solid.Server]]). | ||
* The user saved their login credentials (`/idp/login/` for [[Community.Solid.Server]]) via the browser or a password manager extension. | ||
|
||
|
||
#### Attack | ||
|
||
The attacker writes a malicious `text/html` file to the server. Depending on the tool used to store the login credentials, the actual autofill/suggestion behaviour can vary. For instance, if a user who saved login credentials with Chrome opens the malicious file: | ||
|
||
1. The victim performs any interaction with the site (e.g., clicking on a cookie banner). | ||
1. Chrome automatically fills in `<input>` fields for the user name and password with the saved credentials. | ||
1. The malicious `text/html` file can read and send the credentials to the attacker. | ||
1. The attacker can use the credentials to log in with the IDP of the victim. | ||
|
||
|
||
|
||
### Countermeasures ### {#serving-user-created-files-countermeasures} | ||
|
||
* Servers are encouraged to apply security measures when serving user-created files. | ||
* Multiple agents can create files on the same server, which could render `same-origin` security boundaries useless. | ||
* As one possible countermeasure, servers could add a `Content-Security-Policy: sandbox` header to artificially enable `same-origin` security policies for files served on the same origin. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
<a href="https://solidproject.org/TR/" class="logo"> | ||
<img alt="Solid" src="https://solid.github.io/solid-oidc/solid.svg" width="72"> | ||
</a> |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering listing individuals in https://solidos.solidcommunity.net/Contacts/Group/SolidOS_Team.ttl or refer to the "SolidOS Team", e.g.: