Aaron Parecki

alianora https://cybre.space/@nightpool • May 2
@aaronpk you linked to "Insufficient Redirect URI Validation" though? maybe i'm just confused about what you were talking about.

Right, that's one way to steal data out of the redirect even if the browser is doing everything right.

The attacker creates a redirect url at the hostname of the real app but uses an endpoint on the app that can then redirect to the attackers app. Chaining the redirects using an open redirector.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:30pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk Yes, i get that, but the attacker can make the access token request just as easily as the legitimate client.

No it can't, because the attacker won't have the PKCE secret at that point. (We're talking about the case where the code is stolen out of the redirect through one of many mechanisms)

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:26pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk no, I understand that one, I just still don't see how pkce helps improper redirect validation (since the pkce secret and redirect URI come from the same request)

PKCE makes the auth code useless if it's stolen. In PKCE the secret isn't sent out until the access token request.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:21pm -07:00
Drummond Reed https://twitter.com/drummondreed

Biggest laugh at #IIW so far: when @justin__richer in his session on “Is #selfsovereignidentity really possible” turned to Dave Crocker and said that we can all blame him for the Internet not having #security built in from the start.

San Jose, California • 49°F

Thu, May 2, 2019 6:03pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW #selfsovereignidentity #security
Drummond Reed https://twitter.com/drummondreed

At #IIW session on “Is #selfsovereignidentity really possible”, @xmlgrrl Eve Maler offers perhaps the most concise definition of of #privacy I’ve ever heard: “Privacy is context-controlled choice and respect.” Beautiful. And I believe actually possible with #SSI.

San Jose, California • 49°F

Thu, May 2, 2019 6:07pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW #selfsovereignidentity #privacy #SSI
Eve Maler https://twitter.com/xmlgrrl

In @justin__richer’s #IIW “DIDn’t” session: Once more with feeling: Privacy is not secrecy; privacy is not encryption; privacy is context, control, choice, and respect.

San Jose, California • 49°F

Thu, May 2, 2019 6:10pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW
alianora https://cybre.space/@nightpool • May 2
@aaronpk huh? But the redirect_uri is controlled by the same person who controls the code_challenge

That particular attack doesn't assume a malicious browser, that one is improper redirect uri validation. I should probably just write up better explanations of all the attacks in that document but they are all described there.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:17pm -07:00
at The Club at SJC

San Jose, California • Thu, May 2, 2019 3:57pm

37.368421 -121.928393

San Jose, CA, United States

8 Coins

Thu, May 2, 2019 3:57pm -07:00
at TSA Pre-Check Terminal B

San Jose, California • Thu, May 2, 2019 3:48pm

37.365179 -121.924013

San Jose, CA, United States • 49°F

4 Coins

Thu, May 2, 2019 3:48pm -07:00
at Norman Y. Mineta San José International Airport (SJC)

San Jose, California • Thu, May 2, 2019 3:43pm

37.368438 -121.929042

San Jose, CA, United States

10 Coins

Thu, May 2, 2019 3:43pm -07:00
Taxi

10.54mi
Distance

34:47
Duration

3:07pm
Start

3:42pm
End

San Jose, California • 49°F

Thu, May 2, 2019 3:42pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk isn't the section you linked to just as much of a concern under the authorization code flow as the implicit flow? since javascript clients are public clients no matter what?

Nope because PKCE solves the problem of the thing being stolen during the redirect.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 3:39pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 2
What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...

Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.

If you are going to issue refresh tokens to JS, definitely rotate them after every use.

Sunnyvale, California • 49°F

1 like

Thu, May 2, 2019 3:32pm -07:00
Sebastian Lasse https://mastodon.social/@sl007 • May 2
@aaronpk This could save you 4 characters ;))
return btoa(encodeURIComponent(str)
.replace(/%([0-9A-F]{2})/g, (m, p1) => String.fromCharCode(parseInt(('0x'+p1), 16))));

hah clever!

Sunnyvale, California • 49°F

Thu, May 2, 2019 3:31pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk sure, but a malicious browser could also save the entire js state to disk in exactly the same way (and some do a limited version of this for caching purposes). so it's hard for me to think of that as a security benefit? this is only more secure if everyone along the line behaves exactly in the way you expect it to

Security is never about stopping 100% of attacks, since that's impossible. It's about mitigating risk, and reducing the attack surface.

It's worth reading this whole document even if it is a bit terse. Here's a good example of an unexpected attack on the Implicit flow: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-4.1

Sunnyvale, California • 49°F

2 replies

Thu, May 2, 2019 3:30pm -07:00
Eve Maler https://twitter.com/xmlgrrl

#IIW today is obv going to start with a bang. @justin__richer

Mountain View, California • 49°F

Thu, May 2, 2019 4:06pm +00:00 (liked on Thu, May 2, 2019 10:14am -07:00) #IIW
alianora https://cybre.space/@nightpool • May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better

Think of it from the PoV of the thing sending the access token. It wants to make sure the AT ends up in the client and isn't stolen along the way. It can't trust the browser's address bar because the browser isn't the thing it's sending the token to, the code in the browser is.

Mountain View, California • 49°F

Thu, May 2, 2019 10:13am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better

Here's one: The access token is sent in the address bar, so it becomes part of the browser history. This will be written to disk, and possibly even synced to the browser's "cloud" and then even synced down to other devices.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 10:07am -07:00
Taxi

3.70mi
Distance

102:40
Duration

7:40am
Start

9:22am
End

Mountain View, California • 49°F

Thu, May 2, 2019 9:22am -07:00
Chris https://twitter.com/gonji96

PKCE is on my list to implement when no one is watching

Mountain View, California • 49°F

Thu, May 2, 2019 3:54pm +00:00 (liked on Thu, May 2, 2019 9:04am -07:00)

older