Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Please-open.it token leak extension

TL;DR This is a chrome extension that checks oauth2/openid connect authentication process on any website. Just install it, log in and check for alerts and recommendations.

How to test

Our authentication app https://auth.please-open.it we use for portals and doors.

https://www.oauth.com/playground/ a great tool with all flows implemented, step by step and great details.

Company

Please-open.it is a french company, specialized in authentication. We deal with oauth2 especially with keycloak.

We have an offer based on "Keycloak as a service", get your own realm on our infrastructure.

We also built an authorization platform. It works with all common oauth2 providers (Google, Facebook, Twitter, Microsoft, ...) and adds :

  • user filtering based on email, Google Suite organization, groups membership on Facebook or any filtering on a user property
  • Timebased authorizations
  • Calendar restrictions

Works perfectly for doors, gates or any access control device with standard an industrial hardware.

Intro

Several monthes ago, we discover data leak on pole emploi's website 2 failles de sécurité chez pole emploi - French. It shows severals and global problems :

For internal use, we have a small tool for authentication process analysis. This tool was based on apache JMeter with proxy recording.

We rebuilt this tool directly in Chrome using an extension. This extension checks only requests from a web page and checks for known patterns we already had. Then, a small output in an HTML popup shows potential problems.

In order to make your authentication more secure, this tool is now free and opensourced.

Status of the project

It is a big draft for now, a stack of rules hardcoded in Javascript. It displays information about suspicious requests, or misuse of tokens.

Contributions are welcome.

Installation

Today, the extension is not published on the Chrome Webstore. Google does manual review of it due to requested permissions.

Clone or download this repo.

Go to chrome://extensions and turn on "developer mode". Click on "Load Unpacked" Select the location where you cloned this repo.

https://webkul.com/blog/how-to-install-the-unpacked-extension-in-chrome/

The extension is now installed, you see a yellow lock near the address bar.

How to use

Go to the authentication page of your website. The extensions is always listening.

capture

It shows directly authentication steps with a message, a level an details.

  • Green it is an info of a great use
  • Gray means manual verification is required, for example a check on the http headers.
  • Yellow a misuse
  • Red a bad usage
  • Red with a big border : a fix is required ASAP.

A "details" link reveals the context : initiator, HTTP Method and called URL.

"More ..." link gives you some recommendations from this repo.

Do not forget to clean all results between two tests.

Remember, it is a draft. Some cases are not well covered. IE, when an authorization_code is exchanged for an access_token using a backend (not with a direct call to authentication server), which is the best way to do, this exchange is sometimes not detected. All informations from this app needs manual verifications.

Recommendations

All recommendations are based on Internet Engineering Task Force and oauth2 standards. There are not obligations, and many ways to interpret.

Recommendations we write for this public tool are general, check for your frameworks, languages and usages to know how to implement the best standard for high security.

Contribution

All contributions are welcome. Check wiki pages for recommendations.

background.js file is the analysis tool. A stack of "if" statements with string comparisons. Local storage is needed to keep an environement between requests.

chrome.storage.local is the way we found to communicate results to popup html file.

About

Chrome extension to analyse oauth2 authentication process

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published