Messages - DoS Attack caused by request_uri support
Issue #759
resolved
I just heard that there was some concern about supporting request_uri because of the possibility of the DoS Attack.
I do not understand it, but if it is real, we should add some notes in the Security Consideration.
Comments (3)
-
-
-
assigned issue to
One possible mitigation is that the OP might require pre-registration of the request_uri values using the request_uris registration parameter.
And of course, the server can resource-limit reading the request files.
-
assigned issue to
-
- changed status to resolved
OPs can now require pre-registration of request_uri values.
- Log in to comment
I could imagine an attack where the file pointed to are deliberately made so large as to affect the server network connection and subsequent JOSE+JSON decoding. Checking the Content-Length header is unfortunately of little help here because first it is not required to be present, second its value can be falsely stated.
Anther precaution is to ensure the request_uri is in the same domain as the registrant's, to minimise the risk of the OP becoming an attack vector to some other domain. Having request_uri on a different domain or under someone else's control could however be a feature of OIDC, so this probably has to be looked at more carefully.