Πέμπτη 20 Αυγούστου 2020

PKCE: What Can(Not) Be Protected


This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.
At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.
In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow


In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 
Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).
  • The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].
Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.
  • Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

    Proof Key for Code Exchange - PKCE (RFC 7636)

    Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.


    Figure 2: PKCE - RFC 7636 

    Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:
    • The Honest App generates a random string called code_verifier
    • The Honest App computes the code_challenge=SHA-256(code_verifier)
    • The Honest App specifies the challenge_method=SHA256

    Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.
    • Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.
    Step 3-4: The code leaks again to the Evil App.

    Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

     PKCE Bypass via App Impersonation

    Again, PKCE binds the Auth Request to the coderedemption.
    The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

    Figure 3: Bypassing PKCE via the App Impersonation attack
    Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

    Step 2-4: These steps do not deviate from the previous description in Figure 2.

    Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

    OAuth 2.0 for Native Apps

    The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

    References

    Vladislav Mladenov
    Christian Mainka (@CheariX)
    More information

    1. Best Pentesting Tools 2018
    2. Hack Tool Apk No Root
    3. Hack Website Online Tool
    4. Hacker Tools List
    5. Tools For Hacker
    6. Pentest Tools Port Scanner
    7. Pentest Tools Apk
    8. Hacking Tools Github
    9. Pentest Tools Review
    10. Hacking Tools
    11. Termux Hacking Tools 2019
    12. Hacker Tools For Windows
    13. Hacker Tools For Windows
    14. Pentest Tools Website Vulnerability
    15. Computer Hacker
    16. Hacker Tools Apk Download
    17. Github Hacking Tools
    18. Pentest Tools Online
    19. Hacker Tools Online
    20. Hack Tool Apk No Root
    21. Pentest Tools Bluekeep
    22. Hack Tools Github
    23. Bluetooth Hacking Tools Kali
    24. Hacking Tools For Games
    25. Pentest Tools Port Scanner
    26. Pentest Tools Windows
    27. Hacker Tools Apk Download
    28. Hacking Tools And Software
    29. Hacking Tools Hardware
    30. Pentest Tools List
    31. Usb Pentest Tools
    32. Pentest Tools Free
    33. Hack Tools Mac
    34. Pentest Tools For Windows
    35. Easy Hack Tools
    36. Kik Hack Tools
    37. Hacker Security Tools
    38. Hacker Tools Online
    39. Pentest Tools Windows
    40. Pentest Tools Windows
    41. Ethical Hacker Tools
    42. Hacker Tools Hardware
    43. Hacker Tools Apk
    44. Hack Website Online Tool
    45. Pentest Tools Apk
    46. Pentest Tools Nmap
    47. Hacking Tools For Mac
    48. Pentest Tools Github
    49. Hack And Tools
    50. Pentest Tools
    51. Hacker Tools Software
    52. Bluetooth Hacking Tools Kali
    53. Pentest Tools Tcp Port Scanner
    54. Pentest Tools
    55. Hack Tools
    56. Pentest Tools Kali Linux
    57. Hack Tools Mac
    58. Pentest Tools For Windows
    59. Hacker Techniques Tools And Incident Handling
    60. Pentest Tools Framework
    61. Hacker Techniques Tools And Incident Handling
    62. Hacking Tools For Kali Linux
    63. Hacking Tools For Pc
    64. Hacker Tools Apk
    65. Hacker Tools Github
    66. Android Hack Tools Github
    67. Pentest Tools Website
    68. Hacks And Tools
    69. Wifi Hacker Tools For Windows
    70. Growth Hacker Tools
    71. Wifi Hacker Tools For Windows
    72. Hack Tools Pc
    73. Pentest Tools Apk
    74. What Is Hacking Tools
    75. Hacker Tools Apk Download
    76. Hack Tools
    77. Pentest Recon Tools
    78. Hack Website Online Tool
    79. Hacking Tools Software
    80. Hack Website Online Tool
    81. How To Make Hacking Tools
    82. Hacker Tools 2019
    83. Beginner Hacker Tools
    84. Hacking Tools Download
    85. Usb Pentest Tools
    86. Nsa Hack Tools Download
    87. Hacker Security Tools
    88. Blackhat Hacker Tools
    89. New Hacker Tools
    90. Pentest Tools List
    91. Black Hat Hacker Tools
    92. Pentest Tools Online
    93. Pentest Tools Nmap
    94. Hackers Toolbox
    95. Github Hacking Tools
    96. Hack And Tools
    97. Bluetooth Hacking Tools Kali
    98. Tools 4 Hack
    99. Hacker Tools Apk
    100. Hacker Tools Free Download
    101. Hacker Security Tools
    102. Pentest Tools Find Subdomains
    103. Pentest Tools
    104. Hacks And Tools
    105. Hack Tools Pc
    106. Pentest Tools Alternative
    107. Hack Tools For Windows
    108. World No 1 Hacker Software
    109. Physical Pentest Tools
    110. Hack Tools For Windows
    111. Hack And Tools
    112. Hack Tools For Mac
    113. Hack Tools Github
    114. Github Hacking Tools
    115. Hack Tool Apk No Root
    116. Hack Tools Online
    117. Tools 4 Hack
    118. Pentest Tools For Mac
    119. Pentest Recon Tools
    120. How To Install Pentest Tools In Ubuntu
    121. Hacker Tools Windows
    122. Hackrf Tools
    123. What Are Hacking Tools
    124. Physical Pentest Tools
    125. Hacker Tool Kit
    126. Hacker Tools Free Download
    127. Hacker Tools Windows
    128. Android Hack Tools Github
    129. Pentest Tools Bluekeep
    130. Android Hack Tools Github
    131. Tools 4 Hack
    132. Hacking Tools For Pc
    133. Hacking Tools For Beginners
    134. Black Hat Hacker Tools
    135. Hacker Tools Linux
    136. Hacker Tools 2019
    137. What Are Hacking Tools
    138. Nsa Hack Tools Download
    139. Usb Pentest Tools
    140. Pentest Tools Website Vulnerability
    141. How To Install Pentest Tools In Ubuntu
    142. Best Hacking Tools 2020
    143. Hacking Apps
    144. Pentest Box Tools Download
    145. Hacking Tools
    146. Pentest Tools
    147. Beginner Hacker Tools

    Δεν υπάρχουν σχόλια:

    Δημοσίευση σχολίου