Parameter pollution with redirect_uri injection in Authorization step

tommaso innocenti reporter

Good morning, Michael. We already contacted the OAuth working group; we discussed it with Daniel Fett and the BCP working group.
They partially addressed the path confusion attack requiring exact URL matching. Still, they referred to the rfc3986 section-6.2.1 as an algorithm to perform the URL string comparison, which describes a contradicting comparison algorithm that allows different length URLs as described in our paper (Section 3.1).
OpenID has the same issue with its documentation (OpenID Connect Core 1.0 Section 3.1.2.1. Authentication Request), which, to be addressed appropriately, requires either removing the contradicting reference or defining a new secure comparison algorithm.
The issue has been partially fixed in the OpenID conformance test, thanks to the issue raised by Joseph (LINK), which refers to our paper contribution.

The OAuth working group refrained from introducing new requirements for the redirect_uri parameter validation, which is extremely vague in the documentation(RFC 6749 Section 10.14) because it is outside the BCP scope.
Daniel Fett told us that maybe in future versions of the OAuth, this problem will be addressed. Maybe with OAuth 2.1.
To conclude, OpenID inherits the same flaw from OAuth. In our opinion, it is better to address the issue by introducing a validation requirement to address the parameter pollution attack, which is:
To stop all Authorization requests where the redirect_uri parameter contains a code parameter that clearly indicates a parameter pollution attack or a namespace error from the client site.

2023-11-16T16:24:04+00:00

Comments (4)

Michael Jones
- changed status to new
- 2023-10-28T04:40:25+00:00
Michael Jones
- changed status to open
We discussed this on the 13-Nov-23 working group call. I believe this needs review by security experts.
- 2023-11-13T23:36:24+00:00
Michael Jones
I will plan to send a note to the OAuth working group asking them to look at this.
- 2023-11-16T15:35:11+00:00
tommaso innocenti reporter
Good morning, Michael. We already contacted the OAuth working group; we discussed it with Daniel Fett and the BCP working group.
They partially addressed the path confusion attack requiring exact URL matching. Still, they referred to the rfc3986 section-6.2.1 as an algorithm to perform the URL string comparison, which describes a contradicting comparison algorithm that allows different length URLs as described in our paper (Section 3.1).
OpenID has the same issue with its documentation (OpenID Connect Core 1.0 Section 3.1.2.1. Authentication Request), which, to be addressed appropriately, requires either removing the contradicting reference or defining a new secure comparison algorithm.
The issue has been partially fixed in the OpenID conformance test, thanks to the issue raised by Joseph (LINK), which refers to our paper contribution.

The OAuth working group refrained from introducing new requirements for the redirect_uri parameter validation, which is extremely vague in the documentation(RFC 6749 Section 10.14) because it is outside the BCP scope.
Daniel Fett told us that maybe in future versions of the OAuth, this problem will be addressed. Maybe with OAuth 2.1.
To conclude, OpenID inherits the same flaw from OAuth. In our opinion, it is better to address the issue by introducing a validation requirement to address the parameter pollution attack, which is:
To stop all Authorization requests where the redirect_uri parameter contains a code parameter that clearly indicates a parameter pollution attack or a namespace error from the client site.
- 2023-11-16T16:24:04+00:00
Log in to comment