Malicious Endpoint Attack

Issue #78 closed
Edmund Jay created an issue

This is an attack listed in the report SoK: Single Sign-On Security – An Evaluation of OpenID Connect.

In this test, the Attacker OP returns maliciously crafted Discovery document and afterward to create an ID Token containing the identity of the victim, which is controlled by another OP – Honest OP.

Prerequisite

  • The client does not have per authorization server redirection URI.

Execution

The Attacker OP returns the following configuration during the Discovery phase.

 {
    "issuer": "https://opivAttackerOP.com",
    "registration_endpoint": "https://opivHonestOP.com/register",
    "authorization_endpoint": "https://opivHonestOP.com/auth",
    "token_endpoint": "https://opivAttackerOP.com/token",
    "userinfo_endpoint": "https://opivAttackerOP.com/userinfo"
    ...
 }

Result Evaluation

The goal of this test is to verify whether the End-User authentication can be broken. The attack is successful if the Attacker OP receives any secret information, for example, client_id, client_secret, code or access token, generated by the Honest OP.

Comments (9)

  1. Dave Tonge

    This is an interesting attack. But isn't it outside the scope of FAPI? Currently I don't believe the client registration phase is mentioned in the fapi spec.

  2. Nat Sakimura
    • changed status to open

    As long as we use request object and hybrid mode, we are protected.

    The question is whether we require them?

    probably yes.

  3. Dave Tonge

    It would be good in an intro or summary to refer to the attacks which we protect against by requiring hybrid flow and request object.

  4. Nat Sakimura
    • changed status to open

    Hmmm. I want to make sure that it is a valid attack. I am now confused how does it get the client secret?

    It can certainly get the code but that is pretty much it, is it not?

  5. Log in to comment