[Openid-specs-fapi] Issue #78: Malicious Endpoint Attack (openid/fapi)
Edmund Jay
issues-reply at bitbucket.org
Fri Mar 17 23:03:30 UTC 2017
New issue 78: Malicious Endpoint Attack
https://bitbucket.org/openid/fapi/issues/78/malicious-endpoint-attack
Edmund Jay:
This is an attack listed in the report [SoK: Single Sign-On Security – An Evaluation of OpenID Connect](https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/30/oidc-security.pdf).
In this test, the Attacker OP returns maliciously crafted Discovery document and afterwards to create an ID Token containing the identity of the victim, which is controlled by another OP – Honest OP.
Execution.
The Attacker OP returns the following configuration during the Discovery phase.
{
"issuer": "https://opivAttackerOP.com",
"registration_endpoint": "https://opivHonestOP.com/register",
"authorization_endpoint": "https://opivHonestOP.com/auth",
"token_endpoint": "https://opivAttackerOP.com/token",
"userinfo_endpoint": "https://opivAttackerOP.com/userinfo"
...
}
Result Evaluation.
The goal of this test is to verify whether the End-User authentication can be broken. The attack is successful if the Attacker OP receives any secret information, for example, client_id, client_secret, code or access token, generated by the Honest OP.
More information about the Openid-specs-fapi
mailing list