On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect

OAuth is the new de facto standard for delegating authorization in the web. An important limitation of OAuth is the fact that it was designed for authorization and not for authentication. The usage of OAuth for authentication thus leads to serious vulnerabilities as shown by Zhou et. al. in [44] and Chen et. al. in [9]. OpenID Connect was created on top of OAuth to fill this gap by providing federated identity management and user authentication. OpenID Connect was standardized in February 2014, but leading companies like Google, Microsoft, AOL and PayPal are already using it in their web applications [1], [2], [3], [30]. In this paper we describe the OpenID Connect protocol and provide the first in-depth analysis of one of the key features of OpenID Connect: the Discovery and the Dynamic Registration extensions.We present a new class of attacks on OpenID Connect that belong to the category of second-order vulnerabilities. These attacks consist of two phases: First, the injection payload is stored by the legitimate application. Later on, this payload is used in a security-critical operation. Our new class of attacks - called Malicious Endpoints attacks - exploits the OpenID Connect extensions Discovery and Dynamic Registration. These attacks break user authentication, compromise user privacy, and enable Server Side Request Forgery (SSRF), client-side code injection, and Denial-of-Service (DoS). As a result, the security of the OpenID Connect protocol cannot be guaranteed when these extensions are enabled in their present form. We contacted the authors of the OpenID Connect and OAuth specifications. They acknowledged our Malicious Endpoint attacks and recognized the need to improve the specification [29]. We are currently involved in the discussion regarding the mitigation of the existing issues and an extension to the OAuth specification.

[1]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[2]  Caterina Urban,et al.  Formal analysis of Facebook Connect Single Sign-On authentication protocol , 2010 .

[3]  Jörg Schwenk,et al.  Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud , 2014, CCSW.

[4]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[5]  Thorsten Holz,et al.  Static Detection of Second-Order Vulnerabilities in Web Applications , 2014, USENIX Security Symposium.

[6]  Thomas Groß,et al.  Security analysis of the SAML single sign-on browser/artifact profile , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[7]  Yuchen Zhou,et al.  SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities , 2014, USENIX Security Symposium.

[8]  N. Sakimura,et al.  JSON Web Signature (JWS) draft-ietf-jose-json-web-signature-11 , 2013 .

[9]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[11]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[12]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[13]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  J. Bradley,et al.  JSON Web Token (JWT) draft-ietf-oauth-json-web-token-02 , 2013 .

[15]  Jerome H. Saltzer,et al.  Kerberos authentication and authorization system , 1987 .

[16]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[17]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[18]  Michael Grabatin,et al.  Integration of Dynamic Automated Metadata Exchange into the SAML 2.0 Web Browser SSO Profile , 2016 .

[19]  Christopher Krügel,et al.  Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel , 2014, RAID.

[20]  Kirstie Hawkey,et al.  Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures , 2012, Computers & security.

[21]  Isil Dillig,et al.  Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications , 2015, CCS.

[22]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[23]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.