Yup, use of confidential clients and full checking of redirect URIs
would mitigate these attacks.
I think there is an issue of providing guidance to developers/deployers,
about making secure choices, that needs to be addressed someplace. A
test suite
would also be a good complement to a document.
One challenge is that OAuth addresses such a broad class of clients -
from angry birds all the way to transactional apps. I am a mostly interested
in the latter, it would be good to have a resource that i can point
people to (and, yes, the TM document is good but I dont see it as
something most developers/deployers would
benefit from).
- prateek
While implicit is what they are attacking, this is in principal also
possible to do with a code flow if the client is public.
It is only confidential clients using the code flow that have
reasonable protection from open redirectors.
In openID Connect we made registered redirect_uri and full comparison
of the URI including query parameters a requirement.
Allowing path or query parameters outside of the redirect comparison
leaves too large of an uncontrolled attack surface.
Implementation mistakes are almost inevitable.
John B.
On 2013-02-28, at 2:56 PM, prateek mishra <prateek.mis...@oracle.com
<mailto:prateek.mis...@oracle.com>> wrote:
Characteristics of both these attacks -
1) Use of implicit flow (access token passed on the URL)
2) changes to redirect uri (specification does allow some flexibility
here)
3) applications with long-lived access tokens with broad scope (in
one case only)
- prateek
And a different one (still exploiting redirection and still
implementation mistake)
http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html
Regards
Antonio
On Feb 25, 2013, at 11:42 PM, William Mills wrote:
DOH!!!
http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html
------------------------------------------------------------------------
*From:* Phil Hunt <phil.h...@oracle.com <mailto:phil.h...@oracle.com>>
*To:* William Mills <wmills_92...@yahoo.com
<mailto:wmills_92...@yahoo.com>>
*Sent:* Monday, February 25, 2013 2:28 PM
*Subject:* Re: [OAUTH-WG] OAuth2 attack surface....
Whats the link?
Phil
Sent from my phone.
On 2013-02-25, at 14:22, William Mills <wmills_92...@yahoo.com
<mailto:wmills_92...@yahoo.com>> wrote:
I think this is worth a read, I don't have time to dive into this :(
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
