
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>I maintain a backlog of threats/issues to be covered. What does <span style="background-color: rgba(255, 255, 255, 0);">WPAD exactly mean?</span></div><div><br>Am 26.08.2017 um 11:36 schrieb Nat Sakimura <<a href="mailto:nat@sakimura.org">nat@sakimura.org</a>>:<br><br></div><blockquote type="cite"><div>


<p>Indeed. </p>

<p>In the <a href="https://tools.ietf.org/html/draft-ietf-oauth-security-topics-01">https://tools.ietf.org/html/draft-ietf-oauth-security-topics-01</a>, it might be a good idea to add WPAD attack to one of the potential ways for the code leakage. Is there an issue tracker for the doc? </p>

<div>

<pre>---<br>Nat Sakimura

Research Fellow, Nomura Research Institute

Chairman of the Board, OpenID Foundation</pre>

</div>

<p>On 2017-08-26 17:42, Torsten Lodderstedt wrote:</p>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->

<div> </div>

<div>You may just refer to <a href="https://tools.ietf.org/html/draft-ietf-oauth-security-topics-01">https://tools.ietf.org/html/draft-ietf-oauth-security-topics-01</a>, in particular section 3.1</div>

<div><br>Am 26.08.2017 um 10:14 schrieb Nat Sakimura <<a href="mailto:nat@sakimura.org">nat@sakimura.org</a>>:<br><br></div>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<div><span>Thanks, Torsten.</span><br><span></span><br><span>Right. So an attack scenario I guess is a privilege escalation using code injection.</span><br><span></span><br><span>Environment</span><br><span>-------------</span><br><span>- RFC6749 code grant with a confidential client (e.g. web server client)</span><br><span>- The victim's front channel communication is somehow compromised (e.g., through WPAD attack, server log, etc.)</span><br><span>- The client is implementing RFC6749 properly with XSRF protection etc.</span><br><span></span><br><span>Attack Scenario</span><br><span>-----------------</span><br><span>1. The victim and the attacker are using the same web client.</span><br><span>2. The attacker gets the victim's `code` somehow, e.g., WPAD attack.</span><br><span>3. The attacker inserts the `code` into the session he started.</span><br><span>4. The client sends the `code` with its client secret to the token endpoint.</span><br><span>5. The token endpoint verifies the client secret and that the code was issued to the client.</span><br><span>6. The token endpoint sends the access token back to the client.</span><br><span>7. The client accesses the victim's protected resource successfully and returns it to the attacker. SUCCESS.</span><br><span></span><br><span></span><br><span>Mitigation</span><br><span>-----------</span><br><span>Use PKCE with S256. By doing so, the above scenario changes to:</span><br><span></span><br><span>1. The victim and the attacker are using the same web client.</span><br><span>2. The attacker gets the victim's `code` somehow, e.g., WPAD attack.</span><br><span>3. The attacker inserts the `code` into the session he started.</span><br><span>4. The client sends the `code` with its client secret and the code verifier to the token endpoint.</span><br><span>5. The token endpoint verifies the client secret and that the code was issued to the client.</span><br><span>5a. The token endpoint verifies the code verifier matches the one tied to the code. This fails.</span><br><span>6. The token endpoint sends the error back to the client.</span><br><span>7. The attack FAILED.</span><br><span></span><br><span>I will add the above explanation to the ticket #11. The ticket itself was saying that we should document it, which we did not :-(</span><br><span></span><br><span></span><br><span>For Read&Write, we are mandating hybrid flow. However, for the Read only, we are not.</span><br><span>Thus, for the Read Only (Part 1), we should still mandate the use of PKCE.</span><br><span></span><br><span>That's why it is saying</span><br><span></span><br><span>* shall support [RFC7636] or the mechanisms defined in Financial API - Part 2;</span><br><span></span><br><span></span><br><span>---</span><br><span>Nat Sakimura</span><br><span>Research Fellow, Nomura Research Institute</span><br><span>Chairman of the Board, OpenID Foundation</span><br><span></span><br><span>On 2017-08-25 18:15, Torsten Lodderstedt wrote:</span><br>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Hi Nat,</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>just guessing - the new OAuth security BCP recommends use of PKCE for</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>detecting/preventing code injection attacks. That might be the reason</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>for adding the requirement to the FAPI profile.</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>I know the hybrid flow („code id_token“) is an alternative</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>countermeasure in the OIDC space. So my question is: will FAPI allow</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>use of pure authz code flow? Then recommending PKCE for code injection</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>makes a lot of sense.</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>best regards,</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Torsten.</span></blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Am 24.08.2017 um 19:43 schrieb Nat Sakimura via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>>:</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Hi.</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Current text reads like it is requiring PKCE support even for the confidential client.</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Do you remember the reason for it? Or is it just an editorial error?</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>John may have mentioned a potential attack that PKCE could help but I do not quite remember the details....</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>If it is an error, then we should fix it for the final.</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Best,</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>--</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Nat Sakimura</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Research Fellow, Nomura Research Institute</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Chairman of the Board, OpenID Foundation</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>_______________________________________________</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span>Openid-specs-fapi mailing list</span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span><a href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.openid.net</a></span></blockquote>

</blockquote>

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">

<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></span></blockquote>

</blockquote>

</div>

</blockquote>

</blockquote>


</div></blockquote></body></html>