This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.
At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.
In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.
OAuth Code Flow
In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].
Figure 1: An example of the "authorization code interception" attack on mobile devices. |
Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, ….
Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).
- The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].
Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.
Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.
- Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.
Proof Key for Code Exchange - PKCE (RFC 7636)
Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.
Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.
Figure 2: PKCE - RFC 7636 |
Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:
- The Honest App generates a random string called code_verifier
- The Honest App computes the code_challenge=SHA-256(code_verifier)
- The Honest App specifies the challenge_method=SHA256
Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.
- Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.
Step 3-4: The code leaks again to the Evil App.
Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.
PKCE Bypass via App Impersonation
Again, PKCE binds the Auth Request to the coderedemption.
The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.
Figure 3: Bypassing PKCE via the App Impersonation attack |
Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request.
Step 2-4: These steps do not deviate from the previous description in Figure 2.
Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.
OAuth 2.0 for Native Apps
The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.
References
Vladislav Mladenov
Christian Mainka (@CheariX)
Related newsChristian Mainka (@CheariX)
- Hacking Tools For Windows Free Download
- Hacking Tools For Kali Linux
- Hacker Tools Free
- How To Make Hacking Tools
- Pentest Automation Tools
- Pentest Automation Tools
- Growth Hacker Tools
- New Hack Tools
- Hacks And Tools
- Hacker Tools Windows
- Hacker Tools Windows
- Hacker Tools Github
- Hacks And Tools
- Hack Tools Download
- Hacking Tools Kit
- Hacker Search Tools
- Black Hat Hacker Tools
- Pentest Tools Online
- Hacker Tools List
- Hacker Tools 2019
- Bluetooth Hacking Tools Kali
- Hacker Tools Windows
- Hack Tools Online
- Pentest Recon Tools
- Wifi Hacker Tools For Windows
- Pentest Tools Alternative
- Pentest Tools Framework
- Termux Hacking Tools 2019
- Beginner Hacker Tools
- Hacking Tools Github
- Hacker Tools For Ios
- Hacking Tools Usb
- Computer Hacker
- Hacking Tools For Windows
- Hack Tools Pc
- Easy Hack Tools
- Hack Website Online Tool
- World No 1 Hacker Software
- Pentest Tools Android
- Pentest Tools Website Vulnerability
- Hacking Tools 2019
- Pentest Tools Review
- Termux Hacking Tools 2019
- Hacker Search Tools
- Hack Tools
- Hacking Tools Free Download
- Pentest Tools Nmap
- Pentest Tools Linux
- Nsa Hack Tools Download
- Hack Website Online Tool
- New Hack Tools
- Hacking Tools For Games
- Growth Hacker Tools
- Hack Tool Apk
- Hacker Tools Apk Download
- Hack Tools
- Hack Tool Apk No Root
- Android Hack Tools Github
- Hack Apps
- Hacking Apps
- Hackers Toolbox
- Pentest Tools Linux
- Computer Hacker
- Hacker Search Tools
- Hacker Tools Apk Download
- Tools For Hacker
- Hacker Tools Hardware
- What Are Hacking Tools
- Pentest Tools List
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Usb
- Hacking Tools Pc
- Hacker Tools Apk Download
- Hack Tools For Pc
- Pentest Tools Port Scanner
- New Hack Tools
- Hacker Tools Online
- New Hacker Tools
- How To Hack
- Hackrf Tools
- Termux Hacking Tools 2019
- Hacking Tools For Windows
- Pentest Tools For Windows
- Black Hat Hacker Tools
- Nsa Hack Tools
- Pentest Tools Open Source
- Bluetooth Hacking Tools Kali
- Github Hacking Tools
- Hacker Tools Hardware
- Hacking Tools For Beginners
- Hack Tools Github
- Pentest Tools Github
- Ethical Hacker Tools
- Hack Tools Github
- Hacking Tools For Windows
- Pentest Tools Review
- How To Hack
- Usb Pentest Tools
- Pentest Tools Alternative
- Tools For Hacker
- Pentest Tools For Ubuntu
- Pentest Tools Framework
- Pentest Tools Android
- Hacker Techniques Tools And Incident Handling
- Hackrf Tools
- Usb Pentest Tools
- Pentest Tools For Ubuntu
- Hacker Tools List
- Black Hat Hacker Tools
- Pentest Tools Review
- Pentest Tools Bluekeep
- Game Hacking
- Hack Tools Mac
- What Is Hacking Tools
- Hackrf Tools
- Hacker Tools Mac
- Pentest Tools Review
- Termux Hacking Tools 2019
- Wifi Hacker Tools For Windows
- Hack Rom Tools
- Hacker Tools Hardware
- Github Hacking Tools
- Hacking Tools For Windows 7
- Hacking Tools For Games
- Hacks And Tools
- Hacking Tools Name
- Hack Tools Mac
- Hack Tools Online
- Pentest Tools Download
- Hacker Tools Online
- Hacking Tools 2020
- Hacker Tools Free Download
- Hack Tools For Ubuntu
- Hacker Security Tools
- Hacks And Tools
- New Hacker Tools
- Termux Hacking Tools 2019
- Pentest Tools Apk
- Hackrf Tools
- Pentest Recon Tools
- Hacking Tools For Windows
- Pentest Tools Kali Linux
- Hacking Apps
- Hacking Tools Download
- Hack And Tools
- Hacking Tools For Kali Linux
- Install Pentest Tools Ubuntu
- Pentest Tools For Mac
- Pentest Tools For Ubuntu
- Hacker Tools Linux
- Hacker Techniques Tools And Incident Handling
- Hacking App
- New Hack Tools
- Hacking Tools 2020
- How To Hack
- Growth Hacker Tools
- Hacker Tools For Windows
- Hacker Tools Free Download
- Hacker Tools Github
- Install Pentest Tools Ubuntu
- Hacking Tools For Windows
- Computer Hacker
- Hacker Tools 2019
- Hacker Tools Free Download
- Hack Tools Pc
- Hacking Tools For Windows
- Pentest Tools Review
- Underground Hacker Sites
- Pentest Tools Port Scanner
- Nsa Hacker Tools
No comments:
Post a Comment