Presentation is loading. Please wait.

Presentation is loading. Please wait.

J. Bradley Sanso H. Tschofenig

Published byAlexina Kelley Modified over 6 years ago

Similar presentations

Presentation on theme: "J. Bradley Sanso H. Tschofenig"— Presentation transcript:

1 J. Bradley Sanso H. Tschofenig
Open redirect in rfc6749 J. Bradley Sanso H. Tschofenig

2 The Specification rfc6 749 – section 4.1.2.1
If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI. If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format,

3 The Problem Open Redirect OWASP TOP 10
…an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

4 The Attack The attacker
Registers a new client to the victim.com provider Registers a redirect uri like attacker.com Craft a special URI of the form (with a wrong scope) ent_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRON G_SCOPE&redirect_uri=

5 Live Examples Facebook: lient_id= &redirect_uri= &scope=WRONG_SCOPE Github: irect_uri= Microsoft: &redirect_uri=

6 Security Compromise: The Authorization Server As Open Redirector
&client_id=good-client&scope=VALID_SCOPE &redirect_uri=https%3A%2F%2AUTHORIZATION_SERVER%Fauthorize %3Fresponse_type%3Dcode %26client_id%3Dattacker-client-id %26scope%3DINVALID_SCOPE %26redirect_uri%3Dhttps%253A%252F%252Fattacker.com

7 The Mitigation https://tools. ietf
Respond with an HTTP 400 (Bad Request) status code (rather than 302) Perform a redirect to an intermediate URI under the control of the AS to clear referer The fragment "#_=_" MUST be appended to the error redirect URI.

Download ppt "J. Bradley Sanso H. Tschofenig"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.

PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
Creating a User ID (1) User makes any HTTP request

Creating a User ID (1) User makes any HTTP request
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Department of Computer Science & Engineering San Jose State University

Department of Computer Science & Engineering San Jose State University

Similar presentations

Ads by Google