Beruflich Dokumente
Kultur Dokumente
I. I NTRODUCTION
OAuth (open standard for authorization) protocol provides
a generic framework to let a resource owner authorize thirdparty to access the owners resource held at a server without
revelaing to the third-party the owners credentials (such as
username and password) [1], [2].
The protocol works roughly as follows. When required by a
(trusted) third-party, the resource owner requests the server to
provide a valet key to the third-party. The server authenticates
the resource owner (e.g. using username and password) and
once authenticated, passes a valet key. The third-party then
uses the valet key to access the owners resources held at the
server. See Figure 1.
5HVRXUFHDFFHVVUHTXHVW
9DOHWNH\IRUUHVRXUFH
DFFHVV
&OLHQW$SS7KLUG
3DUW\
(QGXVHU5HVRXUFH
2ZQHU
6HUYHUKROGLQJRZQHUV
UHVRXUFHV
Fig. 1.
271
authorization code
http://127.0.0.1:3000/oauth2callback/
678942420820.apps.googleusercontent.com
hWh0fWA79J42z m19PB7iINU
web server
4/Y5PZXm . . . GMuFzsEfQI
Fig. 2.
E. Access Tokens
According to OAuth 2.0 specication, the access token
represents the grants scope, expiration and other attributes
issued by the authorization server. It is important for the
legitimate client to keep the access token safe from unintended
parties.
OAuth working group published two specications OAuth
2.0 Message Authentication Code (MAC) Token [4] and
OAuth 2.0: Bearer Token Usage [5] to describe the usage of
272
the access token. These two drafts dene two kinds of access
tokens: Bearer Token and MAC Access Token respectively.
Bearer tokens are considered less secure compared to MAC
access tokens because anyone simply possessing of the token
can have access to the protected resources. No signature of
the API request is needed in the API endpoint. Although it
has this weakness, most major service providers implementing
OAuth 2.0 protocol use bearer tokens as a form of access
tokens due to its simplicity. There is always a tradeoff between
security and usability. To protect against token disclosure,
especially bearer tokens, the specication requires that the TLS
mechanism must be used in the transmission of access token
requests and protected resource requests [5].
To minimize the risk as a consequence of stolen token, the
protocol introduces a short-lived access token and a long-live
refresh token. If the duration authorized to an access token
is expired, the client application can use the refresh token to
issue another access token request. What happens if the refresh
token is stolen? The answer is any party possessing of the
refresh token will have a long duration of authorized access to
the protected resources. Therefore, the optional refresh token
is only granted to the client applications with high security
standard.
III. R ELATED W ORK
Francisco and Karen classied OpenID and OAuth as a
double-redirection protocol [6], [7]. First redirection is the
application redirects the browser to a third party authentication
or authorization endpoint. Second redirection is the third
party endpoint redirects the browser to a callback endpoint
of the application. They analyze the security of the doubleredirection protocol and nd that the user is vulnerable to
phishing attacks if the third partys authentication or authorization endpoint is not protected by TLS. Moreover, they point
out that implementing TLS in the callback endpoint of the
application can provide security protection against man-in-themiddle and passive attacks.
Uruena et al. present a paper studying the privacy risks for
the users of the OpenID Single Sign-On mechanism [8]. They
nd out that OpenID Authentication Protocol relying URLparameter encoding as a means of information transmission
between the Relying Party and the OpenID Provider can
potentially compromise privacy of the application users. Even
though the parameters of the authentication grant response are
signed to protect the integrity, anyone that has access to the
full URLs of the authentication request or response can see all
these non-encrypted parameters such as OpenID Identier. It
is extremely easy to access these URLs due to the nature of the
Hypertext Transfer Protocol (HTTP). Nowadays, it is unlikely
for a website to only host their resource . So resources such
images and links from third parties are often embedded in the
page the user is currently visiting. All these external resources
will trigger individual HTTP request to a third party with a
Referer header set to the full URL of the web page where
those resources are accessed from. Presenting the Referer
eld in HTTP request header can prevent CSRF attacks and
273
Google Client
Internet
Local Network
Local Client
Fig. 3.
274
the resource owners user-agent and the client application, between the client application and the authorization
server, and between the resource owners user-agent and
the authorization server) are eavesdropped by the attacker
model.
It is assumed that the attacker model is equipped with
unlimited resources to launch an attack
3. User authenticates
Authorization Server
7. Grant access token
6. Access token request
Replay attack by
sending the
captured request
Capture request
Resource Owner
User-agent
Client Application
Plain Text
TLS with no signature
Fig. 4.
site he or she intended to. When the victim initiates the ow,
he is redirected to the authorization server with the request
containing the malicious clients client id and redirect URI.
Once the malicious application receives the authorization code,
it constructs a request with the authorization code and sends
it to the callback endpoint of the legitimate client.
3. User authenticates
Authorization Server
Legitimate Client
6. Login as the victims account
By the stolen authorization code
Resource Owner
User-agent
Malicious Client
Plain Text
TLS with no signature
Fig. 5.
3. User authenticates
Authorization Server
7. Grant access token
6. Access token request
2. Initiate the protocol
4. Redirect user back to
the client with a authorization code
Resource Owner
User-agent
Client Application
Plain Text
TLS with no signature
Fig. 6.
275
D. Observations
We nd that the local authorization server is vulnerable to
replay attacks. We observed that authorization code redirection
is sent by the web browser to the client application, followed
by a forged request with the same authorization code. We can
see that both requests gain access to the restricted area of the
site. This means the local authorization server does not have
any authorization code restriction limiting the duration of the
authorization code. In contrast, Google authorization server
passed the replay attack vulnerability test, which indicates
that it enforce one-time use of the authorization code. We
also manually tested this vulnerability on Facebook and found
out that it allows multiple-time uses. While multiple-time
uses of an authorization code gives developers exibility in
implementation, it may result in replay attacks vulnerability.
We recommend that the authorization server should enforce
one-time use of authorization codes unless proper security
measure is put in place to prevent malicious reuse of the
authorization code, as specied in the OAuth 2.0 specication.
The
Google
client
application
hosted
in
www.livejournal.com and found that two tests were failed on
this website. We observed that the livejournal site failed the
impersonation attack vulnerability test. After anaylzing the
HTTP trafc from the generated HAR les, we found out
that the livejournal site set a cookie in the users web browser
when the user visits a page from the site. When the user is
redirected back from the authorization server, the callback
endpoint considers the redirection invalid if the cookie is not
contained in the request. From the packet captures, it seemed
that the site tries to prevent the impersonation attacks by
storing a cookie in the users web browser.
In this case, only having the authorization code is not
sufcient enough to impersonate the victims account. It must
cooperate with a valid cookie from livejournal.com. Since the
callback endpoint of the livejournal website is not protected
by TLS, the HTTP trafc data is not encrypted. So it is
extremely easy for the attacker to obtain the cookie as well as
the authorization code. Furthermore, the failed test testImpersonationAttackByAuthCodeAndForgedCookie shows that the
original cookie is not necessary for the callback endpoint
request from the redirection. It can be simply replaced by any
other cookie that is obtained by any other connection to the
page. This means the livejournal site users account is likely
to be compromised as long as the authorization code is leaked
to the attacker. The approach where the livejournal site sets a
cookie in advance when the user rst visits the page does not
thwart the attacks.
How does the Google authorization server perform in the
test? The passing GoogleOAuthVulnerabilityTest indicates that
appropriate countermeasures are carried out by Goolge to
ensure access token requests are legitimate. For example, onetime use of authorization code and the clients authenticity
are enforced by Google. To enhance user experience, Google
introduces automatic authorization grant features in the authorization ow of OAuth 2.0. This means, if the user has
276