AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 10:20 - 11:05
Systematically Breaking and Fixing OpenID Connect

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

OAuth is the new de facto standard for delegating authorization in the web. An important limitation of OAuth is the fact that it was designed for authorization and not for authentication. The usage of OAuth for authentication thus leads to serious vulnerabilities as shown by Zhou et. al. in [4] and Chen et. al. in [1].
OpenID Connect was created on top of OAuth to fill this gap by providing federated identity management and user authentication. OpenID Connect was standardized in February 2014, but leading companies like Google, Microsoft, AOL and PayPal are already using it in their web applications.

As part of our current research we provided the first in-depth analysis of OpenID Connect. We discovered seven novel attacks, which were not considered by any previous research. In addition, we adapted and extended already known attacks from other SSO protocols like SAML and OpenID on OpenID Connect. In summary, we came up with 15 different attacks resulting in Broken-End-User authentication, information leakage, Server-Side-Request-Forgery (SSRF) and Denial-of-Service (DoS). We categorized all attacks in five different classes:
- Malicious Endpoint attacks (four attacks) are based on a specification flaw in the Discovery and Dynamic Registration features of OpenID Connect, which allow an attacker to break user authentication, compromise user privacy, and enable SSRF, client-side code injection, and DoS.
- ID Spoofing (five attacks) result in an unauthorized access to the victim's account. During the attacks, the attacker is able to create maliciously crafted authentication tokens, which bypass the verification logic on the Client (also known as Relying Party).
- Signature Bypass (three attacks) allow changing the digitally signed authentication without invalidating the signature. Thus, an attacker is able to get an unauthorized access to the victim's account.
- Session Overwriting introduce a complex attack based on a specification flaw, which enforces the Client to send sensitive information like client_secret and valid code to a domain controlled by the attacker.
- Trivial attacks (two attacks) include Replay attacks and Token recipient confusion, which are already known and well studied.

Finally, we contacted the authors of the OpenID Connect and OAuth specifications. They acknowledged our attacks and recognized the need to improve the specification [3] and to address the existing threats. We are currently involved in the discussion regarding the mitigation of the existing issues and an extension to the OpenID Connect specification is currently created for this reason [2].

In our presentation we reveal novel insides and new security aspects of using protocols like OAuth and OpenID Connect. Additionally, we will present two of the new attacks discovered by our research and discuss the countermeasures. We conclude with the concept of a fully automated penetration testing tool developed in collaboration with the OpenID Connect working group allowing the flexible security evaluation of implementations.

[1] E. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. OAuth Demystied for Mobile Application Developers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).
[2] M. Jones. Oauth 2.0 mix-up mitigation. IETF, January 2016. URL https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00.
[3] openid connect. Discovery / Security Considerations: CSRF attack on user in-put identifier, 2015. URL https://bitbucket.org/openid/connect/issues/979/discovery-security-considerations-csrf. Accessed: 25.08.2015.
[4] D. E. Yuchen Zhou. Automated Testing of Web Applications for Single Sign-On Vul-
nerabilities. In 23rd USENIX Security Symposium (USENIX Security 14).

avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics... Read More →
avatar for Tobias Wich

Tobias Wich

Senior Consultant, ecsec GmbH
Tobias Wich works for ecsec GmbH since 2010 as senior consultant for IT-security with an emphasis on smart cards and identity management systems. He is also working on his PhD Thesis at Ruhr University Bochum as an external student. His recent works include research with respect to... Read More →

Thursday June 30, 2016 10:20 - 11:05 CEST
Room C (Tiziano Ballroom Sec. 2)