From e08a231aba85a24db4db68c3ba66e1564adf62b5 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Thu, 26 May 2022 16:36:44 +0200 Subject: [PATCH] Add security consideration: Code injection attacks This addresses issue #1731. See: https://github.com/w3c/webauthn/issues/1731 --- index.bs | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/index.bs b/index.bs index 4bc23fc71..fb2005bdc 100644 --- a/index.bs +++ b/index.bs @@ -6898,6 +6898,41 @@ This issue is similar to the one described in [[#sctn-username-enumeration]] and [[#sctn-credential-id-privacy-leak]], and can be mitigated in similar ways. +### Code injection attacks ### {#sctn-code-injection} + +Any malicious code executing on an +[=determines the set of origins on which the public key credential may be exercised|origin=] +within the [=scope=] of a [=[RP]=]' [=public key credentials=] +has the potential to invalidate any and all security guarantees WebAuthn may provide. +[=[WAC]s=] only expose the WebAuthn API in [=secure contexts=], +which mitigates the most basic attacks but SHOULD be combined with additional precautions by [=[RPS]=]. + +Code injection can happen in several ways; +this section attempts to point out some likely scenarios and suggest suitable mitigations, +but is not an exhaustive list. + + - Malicous code could be injected by a third-party script included by the [=[RP]=], + either intentionally or due to a security vulnerability in the third party. + + The [=[RP]=] therefore SHOULD limit the amount of third-party script included on the + [=determines the set of origins on which the public key credential may be exercised|origins=] + within the [=scope=] of its [=credentials=]. + + The [=[RP]=] SHOULD use Content Security Policy [[!CSP2]], + and/or other appropriate technologies available at the time, to limit what script can run on its + [=determines the set of origins on which the public key credential may be exercised|origins=]. + + - Malicious code could, by the credential [=scope=] rules, be hosted on a subdomain of the [=RP ID=]. + For example, user-submitted code hosted on `usercontent.example.org` + could exercise any [=credentials=] [=scoped=] to the [=RP ID=] `example.org`. + Malicious code could use this to launch a [=man-in-the-middle attack=] + to obtain valid [=authentication assertions=] and impersonate the victims of the attack. + + The [=[RP]=] therefore MUST NOT serve untrusted code on any subdomain of any + [=determines the set of origins on which the public key credential may be exercised|origin=] + within the [=scope=] of its [=public key credentials=]. + + # Privacy Considerations # {#sctn-privacy-considerations} The privacy principles in [[!FIDO-Privacy-Principles]] also apply to this specification.