Malicious Endpoint Attack
This is an attack listed in the report SoK: Single Sign-On Security – An Evaluation of OpenID Connect.
In this test, the Attacker OP returns maliciously crafted Discovery document and afterward to create an ID Token containing the identity of the victim, which is controlled by another OP – Honest OP.
Prerequisite
- The client does not have per authorization server redirection URI.
Execution
The Attacker OP returns the following configuration during the Discovery phase.
{
"issuer": "https://opivAttackerOP.com",
"registration_endpoint": "https://opivHonestOP.com/register",
"authorization_endpoint": "https://opivHonestOP.com/auth",
"token_endpoint": "https://opivAttackerOP.com/token",
"userinfo_endpoint": "https://opivAttackerOP.com/userinfo"
...
}
Result Evaluation
The goal of this test is to verify whether the End-User authentication can be broken. The attack is successful if the Attacker OP receives any secret information, for example, client_id, client_secret, code or access token, generated by the Honest OP.
Comments (12)
-
-
- changed status to open
As long as we use request object and hybrid mode, we are protected.
The question is whether we require them?
probably yes.
-
It would be good in an intro or summary to refer to the attacks which we protect against by requiring hybrid flow and request object.
-
Add brief description in the intro, and details in the security considerations in Part 2.
-
- changed status to resolved
Part 2: Fix
#78→ <<cset 01acf9437227>>
-
- changed status to open
Hmmm. I want to make sure that it is a valid attack. I am now confused how does it get the client secret?
It can certainly get the
code
but that is pretty much it, is it not? -
- edited description
-
- marked as minor
- marked as enhancement
-
- changed status to closed
-> <<cset ee0270f>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
This is an interesting attack. But isn't it outside the scope of FAPI? Currently I don't believe the client registration phase is mentioned in the fapi spec.