IRIS

OAuth 2.0 requires a complex redirection trail between websites and Identity Providers (IdPs). In particular, the “redirect URI” parameter included in the popular Authorization Grant Code flow governs the callback endpoint that users are routed to, together with their security tokens. The protocol specification, therefore, includes guidelines on protecting the integrity of the redirect URI. In this work, we analyze the OAuth 2.0 specification in light of modern systems-centric attacks and reveal that the prescribed redirect URI validation guidance exposes IdPs to path confusion and parameter pollution attacks. Based on this observation, we propose novel attack techniques and experiment with 16 popular IdPs, empirically verifying that the OAuth 2.0 security guidance is under-specified. We finally present end-to-end attack scenarios that combine our attack techniques with common web application vulnerabilities, ultimately resulting in a complete compromise of the secure delegated access that OAuth 2.0 promises.

OAuth 2.0 Redirect URI Validation Falls Short, Literally / Innocenti, Tommaso; Golinelli, Matteo; Onarlioglu, Kaan; Mirheidari, Ali; Crispo, Bruno; Kirda, Engin. - (2023), pp. 256-267. (Intervento presentato al convegno ACSAC '23 tenutosi a Austin, TX, USA nel 4-8 December 2023) [10.1145/3627106.3627140].

OAuth 2.0 Redirect URI Validation Falls Short, Literally

Golinelli, Matteo
;Mirheidari, Ali;Crispo, Bruno;
2023-01-01

Abstract

OAuth 2.0 requires a complex redirection trail between websites and Identity Providers (IdPs). In particular, the “redirect URI” parameter included in the popular Authorization Grant Code flow governs the callback endpoint that users are routed to, together with their security tokens. The protocol specification, therefore, includes guidelines on protecting the integrity of the redirect URI. In this work, we analyze the OAuth 2.0 specification in light of modern systems-centric attacks and reveal that the prescribed redirect URI validation guidance exposes IdPs to path confusion and parameter pollution attacks. Based on this observation, we propose novel attack techniques and experiment with 16 popular IdPs, empirically verifying that the OAuth 2.0 security guidance is under-specified. We finally present end-to-end attack scenarios that combine our attack techniques with common web application vulnerabilities, ultimately resulting in a complete compromise of the secure delegated access that OAuth 2.0 promises.
2023
Annual Computer Security Applications Conference (ACSAC)
New York City USA
Association for Computing Machinery
979-8-4007-0886-2
2-s2.0-85180150107
Innocenti, Tommaso; Golinelli, Matteo; Onarlioglu, Kaan; Mirheidari, Ali; Crispo, Bruno; Kirda, Engin
OAuth 2.0 Redirect URI Validation Falls Short, Literally / Innocenti, Tommaso; Golinelli, Matteo; Onarlioglu, Kaan; Mirheidari, Ali; Crispo, Bruno; Kirda, Engin. - (2023), pp. 256-267. (Intervento presentato al convegno ACSAC '23 tenutosi a Austin, TX, USA nel 4-8 December 2023) [10.1145/3627106.3627140].
File in questo prodotto:
File Dimensione Formato  
OAuth-2.0-Redirect-URI-Validation-Falls-Short-Literally.pdf

accesso aperto

Tipologia: Pre-print non referato (Non-refereed preprint)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.12 MB
Formato Adobe PDF
Visualizza/Apri
1.12 MB Adobe PDF Visualizza/Apri
3627106.3627140.pdf

accesso aperto

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.24 MB
Formato Adobe PDF
Visualizza/Apri
1.24 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/399070
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact