Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect

Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect

Wanpeng Li 1 Department of Electrical & Electronic Engineering
City, University of London, UK
{Wanpeng.Li, Tom.Chen.1}@city.ac.uk1
Chris J Mitchell 2Information Security Group
Royal Holloway, University of London, UK
C.Mitchell@rhul.ac.uk2
Thomas Chen 1 Department of Electrical & Electronic Engineering
City, University of London, UK
{Wanpeng.Li, Tom.Chen.1}@city.ac.uk1
Abstract

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.

1 Introduction

Since the OAuth 2.0 authorisation framework was published at the end of 2012 [11], it has been adopted by a large number of websites worldwide as a means of providing single sign-on (SSO) services. By using OAuth 2.0, websites can reduce the burden of password management for their users, as well as saving users the inconvenience of re-entering attributes that are instead stored by identity providers and provided to relying parties as required.

There is a correspondingly rich infrastructure of identity providers (IdPs) providing identity services using OAuth 2.0. This is demonstrated by the fact that some Relying Parties (RPs), such as the website USATODAY111https://login.usatoday.com/USAT-GUP/authenticate/?, support as many as six different IdPs — see Fig. 1.

Figure 1: The OAuth 2.0 IdPs supported by USATODAY

As discussed in greater detail in section 4, the theoretical security of OAuth 2.0 has been analysed using formal methods [1, 2, 4, 5, 9, 17, 21]. Research focusing on the practical security and privacy properties of implementations of OAuth 2.0 has also been conducted [6, 13, 14, 19, 22, 23, 25]. This latter research has revealed that many real-world implementations of OAuth 2.0 and OpenID Connect have serious vulnerabilities, often because the implementation advice from IdPs is hard to follow.

In this paper we look at a class of cross-site request forgery (CSRF) attacks which have been shown to apply to many real-world implementations of both OAuth 2.0 and OpenID Connect (which is OAuth 2.0-based). In particular, we examine a new class of mitigations which can be applied to prevent such attacks; such techniques are needed because, although existing mitigations are effective in principle, for a variety of practical reasons these are often not deployed in operational implementations.

The remainder of this paper is structured as follows. Section 2 provides background on OAuth 2.0. In section 3 we describe implementation strategies that RPs use to support multiple IdPs. Section 4 summarises previous work analysing the security of real-world OAuth 2.0 implementations. Section 5 describes the adversary model we use in this paper, and also gives a detailed description of possible CSRF attacks against OAuth 2.0 and OpenID Connect. In section 6 we propose a new approach to defend against CSRF attacks. In section 7 we describe how CSRF attacks can be mitigated for RPs using a specific OAuth 2.0 client library. Section 8 describes possible limitations of our approach and also possible ways of avoiding these limitations. Section 9 concludes the paper.

2 Background

2.1 OAuth 2.0

The OAuth 2.0 specification [11] describes a system that allows an application to access resources (typically personal information) protected by a resource server on behalf of the resource owner, through the consumption of an access token issued by an authorization server. In support of this system, the OAuth 2.0 architecture involves the following four roles (see Fig. 2).

  1. The Resource Owner is typically an end user.

  2. The Client is an application running on a server, which makes requests on behalf of the resource owner (the Client is the RP when OAuth 2.0 is used for SSO).

  3. The Authorization Server generates access tokens for the client, after authenticating the resource owner and obtaining its authorization.

  4. The Resource Server is a server which stores the protected resources and consumes access tokens provided by an authorization server (the Resource Server and Authorization Server together constitute the IdP when OAuth 2.0 is used for SSO).

Fig. 2 provides an overview of the operation of the OAuth 2.0 protocol. The client initiates the process by sending (1) an authorization request to the resource owner. In response, the resource owner generates an authorization grant (or authorization response) in the form of a code, and sends it (2) to the client. After receiving the authorization grant, the client initiates an access token request by authenticating itself to the authorization server and presenting the authorization grant, i.e. the code issued by the resource owner (3). The authorization server issues (4) an access token to the client after successfully authenticating the client and validating the authorization grant. The client makes a protected source request by presenting the access token to the resource server (5). Finally, the resource server sends (6) the protected resources to the client after validating the access token.

Figure 2: OAuth 2.0 Protocol Flow

The OAuth 2.0 framework defines four ways for RPs to obtain access tokens, namely Authorization Code Grant, Implicit Grant, Resource Owner Password, and Client Credentials Grant. In this paper we are only concerned with the Authorization Code Grant and Implicit Grant protocol flows. Note that, in the descriptions below, protocol parameters given in bold font are defined as required (i.e. mandatory) in the OAuth 2.0 Authorization Framework [11].

2.2 OpenID Connect

OpenID Connect 1.0 [18] builds an identity layer on top of the OAuth 2.0 protocol. The added functionality enables RPs to verify an end user identity by relying on an authentication process performed by an OpenID Provider (OP). In order to enable an RP to verify the identity of an end user, OpenID Connect adds a new type of token to OAuth 2.0, namely the id_token. This complements the access token and code, which are already part of OAuth 2.0. An id_token contains claims about the authentication of an end user by an OP together with any other claims requested by the RP.

OpenID Connect supports three authentication flows [18], i.e. ways in which the system can operate, namely Hybrid Flow, Authorization Code Flow and Implicit Flow.

2.3 OAuth 2.0 used for SSO

In order to use OAuth 2.0 as the basis of an SSO system, the following role mapping is used:

  • the resource server and authorization server together play the IdP role;

  • the client plays the role of the RP;

  • the resource owner corresponds to the user.

OAuth 2.0 and OpenID Connect SSO systems build on user agent (UA) redirections, where a user (U) wishes to access services protected by the RP which consumes the access token generated by the IdP. The UA is typically a web browser. The IdP provides ways to authenticate the user, asks the user to grant permission for the RP to access the user’s attributes, and generates an access token on behalf of the user. After receiving the access token, the RP can access the user’s attributes using the API provided by the IdP.

2.3.1 RP Registration

The RP must register with the IdP before it can use OAuth 2.0. During registration, the IdP gathers security-critical information about the RP, including the RP’s redirect URI, i.e. redirect_uri, the URI to which the user agent is redirected after the IdP has generated the authorization response and sent it to the RP via the UA. As part of registration, the IdP issues the RP with a unique identifier (client_id) and, optionally, a secret (client_secret). If defined, client_secret is used by the IdP to authenticate the RP when using the Authorization Code Grant flow.

2.3.2 Authorization Code Grant

The OAuth 2.0 Authorization Code Grant is very similar to the OpenID Connect Authorization Code Flow; for simplicity, we only give the description of the OAuth 2.0 Authorization Code Grant. This flow relies on certain information having been established during the registration process, as described in section 2.3.1. An instance of use of the protocol proceeds as follows.

  1. U RP: The user clicks a login button on the RP website, as displayed by the UA, which causes the UA to send an HTTP request to the RP.

  2. RP UA: The RP produces an OAuth 2.0 authorization request and sends it back to the UA. The authorization request includes client_id, the identifier for the client which the RP registered with the IdP previously; response_type=code, indicating that the Authorization Code Grant method is requested; redirect_uri, the URI to which the IdP will redirect the UA after access has been granted; state, an opaque value used by the RP to maintain state between the request and the callback (step 6 below); and scope, the scope of the requested permission.

  3. UA IdP: The UA redirects the request which it received in step 2 to the IdP.

  4. IdP UA: The IdP first compares the value of redirect_uri it received in step 3 (embedded in the authorization request) with the registered value; if the comparison fails, the process terminates. If the user has already been authenticated by the IdP, then the next step is skipped. If not, the IdP returns a login form which is used to collect the user authentication information.

  5. U UA IdP: The user completes the login form and grants permission for the RP to access the attributes stored by the IdP.

  6. IdP UA RP: After (if necessary) using the information provided in the login form to authenticate the user, the IdP generates an authorization response and redirects the UA back to the RP. The authorization response contains code, the authorization code (representing the authorization grant) generated by the IdP; and state, the value sent in step 2.

  7. RP IdP: The RP produces an access token request and sends it to the IdP token endpoint directly (i.e. not via the UA). The request includes grant_type=authorization_code, client_id, client_secret (if the RP has been issued one), code (generated in step 6), and the redirect_uri.

  8. IdP RP: The IdP checks client_id, client_secret (if present), code and redirect_uri and, if the checks succeed, responds to the RP with access_token.

  9. RP IdP: The RP passes access_token to the IdP via a defined API to request the user attributes.

  10. IdP RP: The IdP checks access_token (how this works is not specified in the OAuth 2.0 specification) and, if satisfied, sends the requested user attributes to the RP.

2.3.3 Implicit Grant

The OAuth 2.0 Implicit Grant is very similar to the OpenID Connect Implicit Flow and Hybrid Flow; for simplicity, we only give the description of the OAuth 2.0 Implicit Grant. This flow has a similar sequence of steps to Authorization Code Grant. We specify below only those steps where the Implicit Grant flow differs from the Authorization Code Grant flow.

  1. RP UA: The RP produces an OAuth 2.0 authorization request and sends it back to the UA. The authorization request includes client_id, the identifier for the client which the RP registered with the IdP previously; response_type=token, indicating that the Implicit Grant is requested; redirect_uri, the URI to which the IdP will redirect the UA after access has been granted; state, an opaque value used by the RP to maintain state between the request and the callback (step 6 below); and scope, the scope of the requested permission.

  2. IdP UA RP: After (if necessary) using the information provided in the login form to authenticate the user, the IdP generates an access token and redirects the UA back to the RP using the value of redirect_uri provided in step 2. The access token is appended to redirect_uri as a URI fragment (i.e. as a suffix to the URI following a # symbol).

As URI fragments are not sent in HTTP requests, the access token is not immediately transferred when the UA is redirected to the RP. Instead, the RP returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI, including the fragment retained by the UA, and extracting the access token (and other parameters) contained in the fragment; the retrieved access token is returned to the RP. The RP can now use this access token to retrieve data stored at the IdP.

3 Supporting multiple IdPs

As described in section 1, many RPs support more than one IdP. This recognises the fact that users will have trust relationships with varying sets of IdPs — for example, one user may prefer to trust Facebook, whereas another may prefer Google.

In this section we describe two ways in which this is achieved in practice.

3.1 Using redirect URIs

One way in which an RP can support multiple IdPs is to register a different redirect_uri with each IdP, and to set up a sign-in endpoint for each. The can then use the endpoint on which it receives an authorization response to recognise which IdP sent it. For example, AddThis222http://www.addthis.com/ has registered the URIs:

If AddThis receives an authorization response at the endpoint https://www.addthis.com/darkseid/account/register-facebook-return?code=[code_generated_by_Facebook], (in step 7 of section 2.3.2), it assumes that this response was generated by Facebook, and thus sends the authorization code to the Facebook server (step 8 of section 2.3.2) to request an access_token.

3.2 Explicit User Intention Tracking

Registering a different redirection URI for each IdP is not the only approach that could be used by an RP to support multiple IdPs. If an RP does not register a different redirection URI for each IdP, it can instead keep a record of the IdP each user wishes to use to authenticate (e.g. it could save the identity of the user’s selected IdP to a cookie).

In this case, when a authorization response is received by the RP, the RP can retrieve the identity of the IdP from the cookie and then send the code to this IdP. This method is typically used by RPs that allow for dynamic registration, where using the same URI is an obvious implementation choice [9].

4 Analysing the security of OAuth 2.0 and OpenID Connect

The security properties of OAuth 2.0 have been analysed using formal methods. Pai et al. [17] confirmed a security issue described in the OAuth 2.0 Thread Model [15] using the Alloy Framework [12]. Chari et al. analysed OAuth 2.0 in the Universal Composability Security Framework [5] and showed that OAuth 2.0 is secure if all the communications links are SSL-protected. Frostig and Slack [21] discovered a cross site request forgery attack in the Implicit Grant flow of OAuth 2.0, using the Murphi framework [8]. Bansal et al. [1] analysed the security of OAuth 2.0 using the WebSpi [2] and ProVerif models [4]. However, all this work is based on abstract models, and so delicate implementation details are ignored.

The security properties of real-world OAuth 2.0 implementations have also been examined by a number of authors. Wang et al. [23] examined deployed SSO systems, focussing on a logic flaw present in many such systems, including OpenID. In parallel, Sun and Beznosov [22] also studied deployed OAuth 2.0 systems. Later, Li and Mitchell [13] examined the security of deployed OAuth 2.0 systems providing services in Chinese. In parallel, Zhou and Evans [25] conducted a large scale study of the security of Facebook’s OAuth 2.0 implementation. Chen et al. [6], and Shehab and Mohsen [19] have looked at the security of OAuth 2.0 implementations on mobile platforms. Li and Mitchell [14] conducted an empirical study of the security of the OpenID Connect-based SSO service provided by Google.

These latter studies have revealed a number of vulnerabilities arising in implementations of these systems. Of particular interest here are vulnerabilities which can lead to CSRF attacks, and we next describe how these attacks can arise.

5 CSRF Attacks against OAuth 2.0 and OpenID Connect

5.1 Adversary Model

We suppose that the adversary has the capabilities of a web attacker, i.e. it can share malicious links or post comments which contain malicious content (e.g. stylesheets or images) on a benign website, and/or can exploit vulnerabilities in an RP website. The malicious content might trigger the web browser to send an HTTP/HTTPS request to an RP and IdP using either the GET or POST methods, or execute JavaScript scripts crafted by the attacker.

5.2 CSRF attacks

A cross site request forgery (CSRF) attack [3, burns2005cross, DBLP:conf/esorics/RyckDJP11, jovanovic2006preventing, DBLP:conf/fc/MaoLM09, DBLP:conf/issre/ShahriarZ10, zeller2008cross] operates in the context of an ongoing interaction between a target web browser (running on behalf of a target user) and a target website. The attack involves a malicious website causing the target web browser to initiate a request of the attacker’s choice to the target website. This can cause the target website to execute actions without the involvement of the user. In particular, if the target user is currently logged into the target website, the target web browser will send cookies containing an authentication token generated by the target website for the target user, along with the attacker-supplied request, to the target website. The target website will then process the malicious request as through it was initiated by the target user.

There are various ways in which the target browser could be made to send the spurious request. For example, a malicious website visited by the browser could use the HTML img tag’s src attribute to specify the malicious request URL, which will cause the browser to silently use a GET method to send the request to the target website.

According to the OWASP Top 10 – 2013 report [16] released by the Open Web Application Security Project (OWASP) in 2013, the CSRF attack is ranked as No. 8 in the 10 most critical web application security risks. This means that such attacks represent a real danger in practice.

5.3 CSRF Attacks Against the Redirect URI

CSRF attacks against the OAuth 2.0 redirect_uri [15] can allow an attacker to obtain authorization to access OAuth-protected resources without the consent of the user. Such an attack is possible for both the Authorization Code Grant Flow and the Implicit Grant Flow.

An attacker first acquires a code or access_token relating to its own protected resources. The attacker then aborts the redirect flow back to the RP on the attacker’s own device, and then, by some means, tricks the victim into executing the redirect back to the RP. The RP receives the redirect, fetches the attributes from the IdP, and associates the victim’s RP session with the attacker’s resources that are accessible using the tokens. The victim user then accesses resources on behalf of the attacker.

The impact of such an attack depends on the type of resource accessed. For example, the user might upload private data to the RP, thinking it is uploading information to its own profile at this RP, and this data will subsequently be available to the attacker; as described by Li and Mitchell [13], an attacker can use a CSRF attack to control a victim user’s RP account without knowing the user’s username and password.

5.4 Existing CSRF Defences

Barth et al. [3] describe four mechanisms that a website can use to defend itself against CSRF attacks: validating a secret token, validating the HTTP Referer header, including additional headers with an XMLHttpRequest, and validating the HTTP Origin header. All of these mechanisms are in use on the web today, but none of them are entirely satisfactory.

  • Secret Validation Token. One approach to defending against CSRF attacks is to send additional information in the form of a secret validation token in each HTTP request; this token can be used to determine whether the request came from an authorized source. The “validation token” should be hard to guess for attacker who does not already have access to the user’s account. If a request does not contain a validation token, or the token does not match the expected value, the server should reject the request.

  • The Referer Header. In many cases, when the browser issues an HTTP request, it includes a Referer header that indicates which URL initiated the request. The Referer header, if present, distinguishes a same-site request from a cross-site request because the header contains the URL of the site making the request. A site can defend itself against cross-site request forgery attacks by checking whether the request in question was issued by the site itself. However, the Referer might contain sensitive information that impinges on the privacy of web users.

  • Custom HTTP Headers. Custom HTTP headers can be used to prevent CSRF attacks, because browsers prevent sites from sending custom HTTP headers to another site but allow sites to send custom HTTP headers to themselves using XMLHttpRequest. For example, the prototype.js JavaScript library333http://prototypejs.org uses this approach and attaches the X-Requested-With header with the value XMLHttpRequest. To use custom headers as a CSRF defence, a site must issue all state-modifying requests using XMLHttpRequest, attach the custom header (e.g. X-Requested-with), and reject all state-modifying requests that are not accompanied by the header. This works because XMLHttpRequest does not allow an attacker to make a request to a third party domain by default. Thus, it is not possible for an attacker to forge a request with a spoofed X-Requested-With header.

  • The Origin Header. In many cases, the browser includes an Origin header, which indicates the request originates from an HTTP POST request as well as a Cross-Origin Resource Sharing (CORS)444https://developer.mozilla.org/en-US/docs/Glossary/CORS request. Its use is similar to the Referer header, but it does not include any path information, only the server name.

5.5 Existing CSRF Defences for OAuth 2.0

As described in the OAuth Threat model [15], two possible mitigations [15] for a CSRF attack are as follows.

  • A state parameter should be used to link the authorization request to the redirect URI used to deliver the code or access_token (see Secret Validation Token in section 5.4).

  • RP developers and end users should be educated not to follow untrusted URLs.

The OAuth Threat model does not recommend use of the three other CSRF defences described in section 5.4. This is because the OAuth 2.0 response to the redirect URI is a cross-site request, since the request is generated by the IdP and is redirected to the RP by the browser; all the existing CSRF defences (except for use of the secret token) will therefore not work in this case.

It is important to observe that both the recommended mitigations delegate the responsibility for correctly implementing CSRF countermeasures to the RP developers. However, in practice, RPs do not always implement CSRF countermeasures in the recommended way. A study conducted by Shernan et al. [20] in 2015 found that 25% of websites in the Alexa Top 10,000 domains using Facebook’s OAuth 2.0 service appear vulnerable to CSRF attacks. Further, a 2016 study conducted by Yang et al. [24] revealed that 61% of 405 websites using OAuth 2.0 (chosen from the 500 top-ranked US and Chinese websites) did not implement CSRF countermeasures; even worse, for those RPs which support the state parameter, 55% of them are still vulnerable to CSRF attacks due to misuse/mishandling of the state parameter. They also disclosed four scenarios where the state parameter can be misused by the RP developers.

This means that, if CSRF attacks are to be prevented in practice, new and simple-to-implement CSRF countermeasures would be extremely valuable. This motivates the work described in the remainder of this paper.

6 A new approach

Since the requirement to add a state parameter to an authorization request is often ignored by RP developers, large numbers of real-world OAuth 2.0 implementations are vulnerable to CSRF attacks; moreover traditional Referer header, Origin header and Custom header countermeasures are infeasible in the OAuth 2.0 framework (see section 5.5). We propose to combine the Referer header and the fact that RPs register different URIs for different IdPs (see section 3.1) to provide a novel means of mitigating CSRF attacks. We first describe how a Referer header can be used to mitigate CSRF attacks against the redirect_uri in both the Authorization Code Grant Flow of OAuth 2.0 and the (very similar) Authorization Code Flow of OpenID Connect.

6.1 Protecting the Authorization Code (Grant) Flow

Normally an authorization response is only generated after a user clicks on a grant button rendered by the IdP (see fig. 3). The HTTP message (see, for example, listing 1) of such an authorization response contains a Referer header which points to the IdP domain.

Figure 3: An Google Authorization Grant Example
1// HTTP message of a normal OAuth 2.0 Authorization response generated by AIdP for RP.com
2// privacy relerated values are trimmed using ***
3
4GET /AIdP-callback?code=[code_generated_by_AIdP]
5Host: RP.com
6User-Agent: ***
7Accept: ***
8Accept-Language: en-US,en;q=0.5
9Referer: https://AIdP.com/
10Cookie: ***
11Connection: close
Listing 1: HTTP message of a normal OAuth 2.0 Authorization Response

In practice, major IdPs, such as Google, Facebook and Microsoft, implement an ‘automatic authorization granting’ feature [14]. That is, when the user has logged in to his/her OAuth 2.0 IdP account, the IdP generates an authorization response without explicit user consent. The HTTP message (see, for example, listing 2) of such an authorization response contains a Referer header which points to the RP domain.

The proposed mitigation operates as follows. When the RP receives an authorization response, it first retrieve the identity of the IdP from redirect_uri and then checks that the domain in the Referer header is either the RP Domain or the IdP domain. If the domain of the Referer header is one of these two values, then the RP knows this is a genuine authorization response coming from the IdP; otherwise, the RP should discard this HTTP message and send an error page to the user.

1// HTTP message of an automatic authorization granting OAuth 2.0 Authorization response generated by AIdP for RP.com
2// privacy relerated values are trimmed using ***
3
4GET /AIdP-callback?code=[code_generated_by_AIdP]
5Host: RP.com
6User-Agent: ***
7Accept: ***
8Accept-Language: en-US,en;q=0.5
9Referer: https://RP.com/
10Cookie: ***
11Connection: close
Listing 2: HTTP message of an automatic authorization granting OAuth 2.0 Authorization Response

As an example of how this might work in practice, suppose a web attacker puts a link https://rp.com/AIdP-callback?code=[code_belongs_to_attacker_generated_by_AIdP] on attacker.com to try to launch a CSRF attack against the redirect_uri RP registered with AIdP. The HTTP message of the attack request will contain a Referer header which points to attacker.com (see listing 3). The RP is able to detect this is an attack message by comparing the identity of the IdP or its own domain with the domain in the Referer header.

1// HTTP message of a normal OAuth 2.0 Authorization response generated by AIdP for RP.com
2// privacy relerated values are trimmed using ***
3
4GET /AIdP-callback?code=[code_belongs_to_attacker_generated_by_AIdP]
5Host: RP.com
6User-Agent: ***
7Accept: ***
8Accept-Language: en-US,en;q=0.5
9Referer: https://attacker.com/
10Cookie: ***
11Connection: close
Listing 3: HTTP message of a CSRF attack against redirect_uri

6.2 Protecting the Implicit Grant Flow

We next describe how a Referer header can be used to mitigate CSRF attacks against the redirect_uri in the Implicit Grant Flow of OAuth 2.0 or the Implicit Flow and Hybrid Flow of OpenID Connect.

As an example of how this might work in practice, suppose a web attacker creates the link https://rp.com/AIdP-callback#access_token=[accsstoken_belongs_to_attacker_generated_by_AIdP] on attacker.com to try to launch a CSRF attack against the redirect_uri RP registered with AIdP. As discussed in section 2.3.3, the access_token in the Implicit Grant Flow is not immediately transferred when the UA is redirected to the RP. Thus the HTTP request message looks similar to the CSRF HTTP request described in listing 4. Note that the only difference between a normal HTTP message and a CSRF HTTP message in the OAuth 2.0 Implicit Grant is the Referer header. The RP can detect a CSRF attack by checking the domain of the Referer header is either the IdP identity it retrieves from the redirect_uri or its own domain; it can then respond with different HTML depending on the HTTP messages it has received (see lines 22 and 47 in listing 4).

1
2// A normal HTTP request message to the RP redirect_uri in the OAuth 2.0 Implicit Grant
3
4GET /AIdP-callback
5Host: RP.com
6User-Agent: ***
7Accept: ***
8Accept-Language: en-US,en;q=0.5
9Referer: https://AIdP.com
10Cookie: ***
11
12// The HTTP response message
13HTTP/1.1 200 OK
14Date: ***
15Server: ***
16Last-Modified: ***
17Content-Length: ***
18Content-Type: text/html
19Connection: Closed
20
21<html>
22<body>
23<h1>This HTML can be used to extract the access_token!</h1>
24......
25</body>
26</html>
27
28// The HTTP request message of a CSRF attack on the RP redirect_uri in OAuth 2.0 Implicit Grant
29
30GET /AIdP-callback
31Host: RP.com
32User-Agent: ***
33Accept: ***
34Accept-Language: en-US,en;q=0.5
35Referer: https://attacker.com
36Cookie: ***
37
38// The HTTP response message
39HTTP/1.1 200 OK
40Date: ***
41Server: ***
42Last-Modified: ***
43Content-Length: ***
44Content-Type: text/html
45Connection: Closed
46
47<html> <body> <h1>A CSRF attack is detected on the AIdP signin
48endpoint!</h1> </body> </html>
Listing 4: Preventing CSRF attacks on OAuth 2.0 Implicit Grant

6.3 Supporting multiple IdPs

In the previous sections we described how the Referer header can be used to mitigate CSRF attacks against RPs which use redirect_uri to track the user login intention. We now describe how the Referer header can be used to protect RPs using explicit user intention tracking.

The user log-in intention is stored in the session (Jsession=12345 in the example below). Thus, when the RP receives an authorization response (such as that in listing 5), it retrieves the IdP’s identity from the session and checks whether the domain of the Referer header is either the IdP identity or its own domain. If the two values are the same then the RP knows that this is a genuine authorization response; otherwise, it should respond to the user with an error page.

1// HTTP message of a normal OAuth 2.0 Authorization response generated by AIdP for RP.com using explicit user intention tracking
2// privacy relerated values are trimmed using ***
3
4GET /oauth2-callback?code=[code_belongs_to_attacker_generated_by_AIdP]
5Host: RP.com
6User-Agent: ***
7Accept: ***
8Accept-Language: en-US,en;q=0.5
9Referer: https://AIdP.com/
10Cookie: Jsession=12345
11Connection: close
Listing 5: HTTP message of a CSRF attack against redirect_uri

7 Defending RPs using specific IdP client libraries

Many IdPs, such as Facebook555https://developers.facebook.com/docs/facebook-login/web and Google666https://developers.google.com/identity/sign-in/web/devconsole-project, implement their own OAuth 2.0 client libraries. RPs can use these libraries to simplify integration of the Facebook and Google OAuth 2.0 services with their websites. These libraries use postMessage [7] to deliver OAuth 2.0 responses to the RP client. The RP client must then use XMLHttpRequest to send the OAuth 2.0 response back to the RP OAuth 2.0 callback endpoint, e.g. https://www.rp.com/AIdP-callback.

The RP OAuth 2.0 callback endpoint might be different from the redirect_uri the RP registered with the IdP, e.g. https://www.rp.com; for example, Google requires RPs to register an origin value if they want to use the Google OAuth 2.0 client libraries. Because the request to the RP’s OAuth 2.0 callback endpoint is initiated from the RP client using XMLHttpRequest, the Referer header in the HTTP message of the request always points to the RP domain.

An RP using these client libraries can detect a CSRF attack by checking that the domain in the Referer header of the HTTP message (i.e. RP.com in the example given in listing 6 ).

1// HTTP message of the request to the RP’s OAuth 2.0 callback endpoint
2
3GET /AIdP-callback?code=[code_generated_by_AIdP]
4Host: RP.com
5User-Agent: ***
6Accept: ***
7Accept-Language: en-US,en;q=0.5
8Referer: https://RP.com
9Cookie: ***
10Connection: close
Listing 6: Defending RPs using specific IdP client libraries

8 Limitations of our approach

One possible limitation of the Referer header approach described above is that a UA might compress the Referer header in a (non-secure) HTTP request if the referring page is transferred via a secure protocol (e.g. HTTPS) [10]. This means that an RP which uses HTTP to register its redirect_uri with an IdP cannot use the approach described in section 6 to defend against CSRF attacks against its redirect_uri, since as part of compression the Referer header will be removed by the web browser when it redirects the authorization response to the RP (note that we assume here IdPs use HTTPS at their OAuth 2.0 authorization endpoint).

This limitation is negated by the fact that that some IdPs, such as Amazon and Microsoft, require the RP to register its redirect_uri using the HTTPS protocol. This means that the attack mitigation described above will work successfully for RPs supporting Amazon and Microsoft login. It would clearly be beneficial if other IdPs could change their registration process to require RPs to register their redirect_uri using HTTPS, enabling all RPs to use our approach to mitigate CSRF attacks.

9 Conclusions

In this paper, we have proposed a new class of mitigations which can be applied to prevent CSRF attacks against redirect_uri in OAuth 2.0 and OpenID Connect. Our approach is practical and simple to implement, and requires no changes to the IdP service; i.e. it can be adopted by an RP independently of what any other party does. We hope that RPs can adopt this approach to provide an additional layer of protection against CSRF attacks for their OAuth 2.0 and/or OpenID Connect services. Of course, adoption would likely be increased if this measure was recommended by major IdPs and/or included in the relevant specifications.

References

  • [1] Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Sergio Maffeis. Discovering concrete attacks on website authorization by formal analysis. Journal of Computer Security, 22(4):601–657, 2014.
  • [2] Chetan Bansal, Karthikeyan Bhargavan, and S. Maffeis. WebSpi and web application models. 2011. http://prosecco.gforge.inria.fr/webspi/CSF/.
  • [3] Adam Barth, Collin Jackson, and John C Mitchell. Robust defenses for cross-site request forgery. In Peng Ning, Paul F. Syverson, and Somesh Jha, editors, Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27-31, 2008, pages 75–88. ACM, 2008.
  • [4] Bruno Blanchet and Ben Smyth. ProVerif: Cryptographic protocol verifier in the formal model. http://prosecco.gforge.inria.fr/personal/bblanche/proverif/.
  • [5] Suresh Chari, Charanjit S Jutla, and Arnab Roy. Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive, 2011:526, 2011.
  • [6] Eric Y. Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. OAuth demystified for mobile application developers. In Gail-Joon Ahn, Moti Yung, and Ninghui Li, editors, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages 892–903. ACM, 2014.
  • [7] Breno de Medeiros, Naveen Agarwal, Nat Sakimura, John Bradley, and Michael B. Jones. OpenID Connect Session Management. 2014. http://openid.net/specs/openid-connect-session-1_0.html.
  • [8] David L Dill. The murphi verification system. In Rajeev Alur and Thomas A. Henzinger, editors, Computer Aided Verification, 8th International Conference, CAV ’96, New Brunswick, NJ, USA, July 31 – August 3, 1996, Proceedings, volume 1102 of Lecture Notes in Computer Science, pages 390–393. Springer, 1996.
  • [9] Daniel Fett, Ralf Küsters, and Guido Schmitz. A comprehensive formal security analysis of OAuth 2.0. In Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, pages 1204–1215. ACM, 2016.
  • [10] Roy Fielding, Jim Gettys, Jeffrey Mogul, Henrik Frystyk, Larry Masinter, Paul Leach, and Tim Berners-Lee. RFC 2616: Hypertext transfer protocol–HTTP/1.1, 1999. https://tools.ietf.org/html/rfc2616.
  • [11] Dick Hardt (editor). RFC 6749: The OAuth 2.0 authorization framework. October 2012. http://tools.ietf.org/html/rfc6749.
  • [12] Daniel Jackson. Alloy 4.1. 2010. http://alloy.mit.edu/community/.
  • [13] Wanpeng Li and Chris J. Mitchell. Security issues in OAuth 2.0 SSO implementations. In Sherman S. M. Chow, Jan Camenisch, Lucas Chi Kwong Hui, and Siu-Ming Yiu, editors, Information Security — 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014. Proceedings, volume 8783 of Lecture Notes in Computer Science, pages 529–541. Springer, 2014.
  • [14] Wanpeng Li and Chris J. Mitchell. Analysing the security of Google’s implementation of OpenID Connect. In Juan Caballero, Urko Zurutuza, and Ricardo J. Rodríguez, editors, Detection of Intrusions and Malware, and Vulnerability Assessment — 13th International Conference, DIMVA 2016, San Sebastián, Spain, July 7-8, 2016, Proceedings, volume 9721 of Lecture Notes in Computer Science, pages 357–376. Springer, 2016.
  • [15] Torsten Lodderstedt, Mark McGloin, and Phil Hunt. RFC 6819: OAuth 2.0 threat model and security considerations. 2013. http://tools.ietf.org/html/rfc6819.
  • [16] OWASP Foundation. Owasp top ten project. 2013. https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013.
  • [17] Suhas Pai, Yash Sharma, Sunil Kumar, Radhika M Pai, and Sanjay Singh. Formal verification of OAuth 2.0 using Alloy framework. In Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), 2011, pages 655–659. IEEE, 2011.
  • [18] Nat Sakimura, John Bradley, Michael Jones, Breno de Medeiros, and Mortimore Chuck. Openid connect core 1.0. 2014. http://openid.net/specs/openid-connect-core-1_0.html.
  • [19] Mohamed Shehab and Fadi Mohsen. Securing OAuth implementations in smart phones. In Elisa Bertino, Ravi S. Sandhu, and Jaehong Park, editors, Fourth ACM Conference on Data and Application Security and Privacy, CODASPY’14, San Antonio, TX, USA — March 03 - 05, 2014, pages 167–170. ACM, 2014.
  • [20] Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, and Kevin R. B. Butler. More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In Magnus Almgren, Vincenzo Gulisano, and Federico Maggi, editors, Detection of Intrusions and Malware, and Vulnerability Assessment — 12th International Conference, DIMVA 2015, Milan, Italy, July 9–10, 2015, Proceedings, volume 9148 of Lecture Notes in Computer Science, pages 239–260. Springer, 2015.
  • [21] Quinn Slack and Roy Frostig. Murphi analysis of OAuth 2.0 implicit grant flow. 2011. http://www.stanford.edu/class/cs259/WWW11/.
  • [22] San-Tsai Sun and Konstantin Beznosov. The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In Ting Yu, George Danezis, and Virgil D. Gligor, editors, the ACM Conference on Computer and Communications Security, CCS ’12, Raleigh, NC, USA, October 16-18, 2012, pages 378–390. ACM, 2012.
  • [23] Rui Wang, Shuo Chen, and XiaoFeng Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In IEEE Symposium on Security and Privacy, SP 2012, 21-23 May 2012, San Francisco, California, USA, pages 365–379. IEEE Computer Society, 2012.
  • [24] Ronghai Yang, Guanchen Li, Wing Cheong Lau, Kehuan Zhang, and Pili Hu. Model-based security testing: An empirical study on oauth 2.0 implementations. In Xiaofeng Chen, XiaoFeng Wang, and Xinyi Huang, editors, Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, China, May 30 – June 3, 2016, pages 651–662. ACM, 2016.
  • [25] Yuchen Zhou and David Evans. SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities. In Kevin Fu and Jaeyeon Jung, editors, Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014, pages 495–510. USENIX Association, 2014.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
233603
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description