Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2: Resolves possible session fixation attack #770

Merged
merged 1 commit into from
Feb 7, 2018
Merged

oauth2: Resolves possible session fixation attack #770

merged 1 commit into from
Feb 7, 2018

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Feb 7, 2018
edited
Loading

This patch resolves a vulnerability in the consent flow. This vulnerability
affects versions 0.10.0 ~ 0.11.5 only. Versions < 0.10.0 are not affected.

The vulnerability can be exploited as follows:

  1. Malice initiates an OAuth 2.0 Authorization Code Flow:
    https://hydra/oauth2/auth?client=...
  2. Hydra redirects malice to the consent app and appends consent
    id "example-id": https://consent-app/?consent=example-id
  3. Malice convinces Bob to open url https://consent-app/?consent=example-id
    and authorize the access request.
  4. The consent app would redirect Bob back to
    https://hydra/oauth2/auth?client=...&consent=example-id. However,
    through some means, Malice is able to prevent redirection of Bob's
    user agent.
  5. Malice accesses the original auth code url and appends the consent id:
    https://hydra/oauth2/auth?client=...&consent=example-id
  6. As the consent request is granted but not claimed, and because Malice's
    user agent contains the valid CSRF token, Malice receives an authorize
    code that is meant to be issued to Bob.
  7. Malice can now act on Bob's behalf.

For this attack to work, the following preconditions must be met:

  1. Malice must be able to convince Bob to access the forged consent url.
  2. Malice must be able to convince Bob to grant the forged consent request.
  3. Malice must be able to prevent the consent app's redirect after
    successful consent request acceptance.
  4. Malice must be able to perform this attack within the expiry (10 minutes)
    of the consent request.

For these reasons, an exploit for this vulnerability is not likely,
but possible.

This patch closes the described vulnerability by requiring a
consent_csrf value additional to the consent value in the query
parameters of the authorization url. Without that value, the authorization
code flow will not be successful. The consent_csrf is transmitted out-of-band
to the consent app and not accessible to Malice. Let's revisit the example
from above:

  1. Malice initiates an OAuth 2.0 Authorization Code Flow:
    https://hydra/oauth2/auth?client=...
  • Hydra creates the consent request id and an additional CSRF token
    which is stored in the database and the encrypted cookie. Malice
    is not able to see the CSRF token.
  1. Hydra redirects malice to the consent app and appends consent
    id "example-id": https://consent-app/?consent=example-id
  2. Malice convinces Bob to open url https://consent-app/?consent=example-id
    and authorize the access request.
  3. The consent app would redirect Bob back to
    https://hydra/oauth2/auth?client=...&consent=example-id&consent_csrf=csrf_token.
    The redirection URL is only accessible to the consent app and Bob's user agent.
    However, through some means, Malice is able to prevent redirection of Bob's
    user agent.
  4. Malices does not know the value for consent_csrf, accessing
    https://hydra/oauth2/auth?client=...&consent=example-id without
    setting consent_csrf causes the request to fail and the consent to
    be revoked.

This patch does not introduce breaking changes. Upgrading to the version
which contains this patch does not require any code changes or deployment
changes.

oauth2: Resolves possible session fixation attack
69cc450 
This patch resolves a vulnerability in the consent flow. This vulnerability
affects versions 0.10.0 ~ 0.11.5 only. Versions < 0.10.0 are not affected.

The vulnerability can be exploited as follows:

1. Malice initiates an OAuth 2.0 Authorization Code Flow:
  https://hydra/oauth2/auth?client=...
2. Hydra redirects malice to the consent app and appends consent
  id "example-id": https://consent-app/?consent=example-id
3. Malice convinces Bob to open url https://consent-app/?consent=example-id
  and authorize the access request.
4. The consent app would redirect Bob back to
  `https://hydra/oauth2/auth?client=...&consent=example-id`. However,
  through some means, Malice is able to prevent redirection of Bob's
  user agent.
5. Malice accesses the original auth code url and appends the consent id:
  `https://hydra/oauth2/auth?client=...&consent=example-id`
6. As the consent request is granted but not claimed, and because Malice's
  user agent contains the valid CSRF token, Malice receives an authorize
  code that is meant to be issued to Bob.
7. Malice can now act on Bob's behalf.

For this attack to work, the following preconditions must be met:

1. Malice must be able to convince Bob to access the forged consent url.
2. Malice must be able to convince Bob to grant the forged consent request.
3. Malice must be able to prevent the consent app's redirect after
  successful consent request acceptance.
4. Malice must be able to perform this attack within the expiry (10 minutes)
  of the consent request.

For these reasons, an exploit for this vulnerability is not likely,
but possible.

This patch closes the described vulnerability by requiring a
`consent_csrf` value additional to the `consent` value in the query
parameters of the authorization url. Without that value, the authorization
code flow will not be successful. The `consent_csrf` is transmitted out-of-band
to the consent app and not accessible to Malice. Let's revisit the example
from above:

1. Malice initiates an OAuth 2.0 Authorization Code Flow:
  https://hydra/oauth2/auth?client=...
  - Hydra creates the consent request id and an additional CSRF token
    which is stored in the database and the encrypted cookie. Malice
    is not able to see the CSRF token.
2. Hydra redirects malice to the consent app and appends consent
  id "example-id": https://consent-app/?consent=example-id
3. Malice convinces Bob to open url https://consent-app/?consent=example-id
  and authorize the access request.
4. The consent app would redirect Bob back to
  `https://hydra/oauth2/auth?client=...&consent=example-id&consent_csrf=csrf_token`.
  The redirection URL is only accessible to the consent app and Bob's user agent.
  However, through some means, Malice is able to prevent redirection of Bob's
  user agent.
5. Malices does not know the value for `consent_csrf`, accessing
  `https://hydra/oauth2/auth?client=...&consent=example-id` without
  setting `consent_csrf` causes the request to fail and the consent to
  be revoked.

This patch does not introduce breaking changes. Upgrading to the version
which contains this patch does not require any code changes or deployment
changes.
@aeneasr aeneasr added this to the 1.0.0-alpha1 milestone Feb 7, 2018
@aeneasr aeneasr self-assigned this Feb 7, 2018
@aeneasr aeneasr merged commit 1e80a1d into master Feb 7, 2018
@aeneasr aeneasr deleted the branch-0.11 branch February 9, 2018 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@aeneasr aeneasr

Labels
package/oauth2
Projects
None yet
Milestone
1.0.0-alpha.1
Development

Successfully merging this pull request may close these issues.
1 participant
@aeneasr