Friday, August 28, 2020

PKCE: What Can(Not) Be Protected


This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.
At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.
In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow


In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 
Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).
  • The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].
Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.
  • Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

    Proof Key for Code Exchange - PKCE (RFC 7636)

    Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.


    Figure 2: PKCE - RFC 7636 

    Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:
    • The Honest App generates a random string called code_verifier
    • The Honest App computes the code_challenge=SHA-256(code_verifier)
    • The Honest App specifies the challenge_method=SHA256

    Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.
    • Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.
    Step 3-4: The code leaks again to the Evil App.

    Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

     PKCE Bypass via App Impersonation

    Again, PKCE binds the Auth Request to the coderedemption.
    The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

    Figure 3: Bypassing PKCE via the App Impersonation attack
    Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

    Step 2-4: These steps do not deviate from the previous description in Figure 2.

    Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

    OAuth 2.0 for Native Apps

    The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

    References

    Vladislav Mladenov
    Christian Mainka (@CheariX)
    Related articles

    1. Hacking Tools Github
    2. How To Hack
    3. Hack Apps
    4. Install Pentest Tools Ubuntu
    5. Hacking Tools Name
    6. Pentest Tools Open Source
    7. Hacking Tools Windows
    8. Pentest Reporting Tools
    9. Hack Tools Github
    10. Pentest Tools Open Source
    11. Hacker Tool Kit
    12. Pentest Tools Tcp Port Scanner
    13. Pentest Tools Website Vulnerability
    14. Hacker Tools For Ios
    15. Pentest Tools For Ubuntu
    16. Hack Tools
    17. Hacker Tools Apk
    18. Best Hacking Tools 2019
    19. Physical Pentest Tools
    20. Pentest Tools Url Fuzzer
    21. Pentest Tools Subdomain
    22. Hacker Tools
    23. Computer Hacker
    24. Pentest Tools Online
    25. Hacking Tools Hardware
    26. Pentest Tools Free
    27. Growth Hacker Tools
    28. Hacker Tools Apk Download
    29. Hacking Tools For Windows
    30. Hacker Tools Online
    31. Hacking Tools Software
    32. Hacking Tools Online
    33. Android Hack Tools Github
    34. Hacker Tools For Mac
    35. Pentest Tools Android
    36. Best Hacking Tools 2019
    37. Pentest Tools Download
    38. Pentest Tools Online
    39. Nsa Hack Tools Download
    40. Hacker Tools Linux
    41. Best Pentesting Tools 2018
    42. Hacking Tools Download
    43. Pentest Tools Apk
    44. Hack Tool Apk
    45. Pentest Tools Download
    46. Hacker
    47. Hacker Tools Apk
    48. How To Make Hacking Tools
    49. Hacker Tools Free Download
    50. Github Hacking Tools
    51. Hacker Tools Software
    52. Ethical Hacker Tools
    53. Kik Hack Tools
    54. Pentest Tools Url Fuzzer
    55. Pentest Tools Tcp Port Scanner
    56. How To Hack
    57. Kik Hack Tools
    58. Pentest Tools Subdomain
    59. Termux Hacking Tools 2019
    60. Pentest Tools Download
    61. Pentest Tools For Windows
    62. Hacker Tools Hardware
    63. Hacking Tools For Kali Linux
    64. Hacking Tools For Kali Linux
    65. Hacker Tools 2020
    66. Hacking Tools
    67. Nsa Hack Tools Download
    68. Hacking Tools For Games
    69. Pentest Tools Tcp Port Scanner
    70. Pentest Tools Windows
    71. Hack Tools For Games
    72. Top Pentest Tools
    73. Physical Pentest Tools
    74. Hacking Tools Windows
    75. Hack Tools For Ubuntu
    76. Underground Hacker Sites
    77. Pentest Tools Free
    78. Nsa Hack Tools Download
    79. Pentest Tools Subdomain
    80. Pentest Tools Linux
    81. Nsa Hack Tools Download
    82. Hacking Tools And Software
    83. Tools For Hacker
    84. Hacker Tools
    85. Hacker Tools Free Download
    86. Black Hat Hacker Tools
    87. Pentest Tools For Mac
    88. Hacking Tools Free Download
    89. Pentest Reporting Tools
    90. Hack Tools 2019
    91. Hacker Tools 2020
    92. Hacker Tools Github
    93. Hacking Tools Pc
    94. Pentest Tools Review
    95. Pentest Tools Port Scanner
    96. Hacker Tools For Ios
    97. Hack Tools Online
    98. Hacker Tools List
    99. Nsa Hack Tools
    100. Growth Hacker Tools
    101. Hacker Tools Free Download
    102. Hacker Tools For Mac
    103. Bluetooth Hacking Tools Kali
    104. Tools For Hacker
    105. Hacker Tools Hardware
    106. How To Install Pentest Tools In Ubuntu
    107. Hack App
    108. Nsa Hack Tools
    109. Tools Used For Hacking
    110. Hacking Tools
    111. Hacker Tools Software
    112. Hack Tools For Pc
    113. Hacker Tools Free Download
    114. Github Hacking Tools
    115. Pentest Tools Website Vulnerability
    116. Hacking Tools Pc
    117. Pentest Tools Url Fuzzer
    118. New Hack Tools
    119. Hacker Tools Mac
    120. Hacking Tools Pc
    121. Pentest Tools Free
    122. Pentest Tools Windows
    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)