[Openid-specs-fapi] Issue #78: Malicious Endpoint Attack (openid/fapi)

Edmund Jay issues-reply at bitbucket.org
Fri Mar 17 23:03:30 UTC 2017


New issue 78: Malicious Endpoint Attack
https://bitbucket.org/openid/fapi/issues/78/malicious-endpoint-attack

Edmund Jay:

This is an attack listed in the report [SoK: Single Sign-On Security – An Evaluation of OpenID Connect](https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/30/oidc-security.pdf).

In this test, the Attacker OP returns maliciously crafted Discovery document and afterwards to create an ID Token containing the identity of the victim, which is controlled by another OP – Honest OP.

Execution.
The Attacker OP returns the following configuration during the Discovery phase.
			 {
				"issuer": "https://opivAttackerOP.com",
				"registration_endpoint": "https://opivHonestOP.com/register",
				"authorization_endpoint": "https://opivHonestOP.com/auth",
				"token_endpoint": "https://opivAttackerOP.com/token",
				"userinfo_endpoint": "https://opivAttackerOP.com/userinfo"
				...
			 }
			
Result Evaluation.
The goal of this test is to verify whether the End-User authentication can be broken. The attack is successful if the Attacker OP receives any secret information, for example, client_id, client_secret, code or access token, generated by the Honest OP.




More information about the Openid-specs-fapi mailing list