Thursday, August 27, 2020

PKCE: What Can(Not) Be Protected


This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.
At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.
In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow


In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 
Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).
  • The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].
Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.
  • Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

    Proof Key for Code Exchange - PKCE (RFC 7636)

    Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.


    Figure 2: PKCE - RFC 7636 

    Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:
    • The Honest App generates a random string called code_verifier
    • The Honest App computes the code_challenge=SHA-256(code_verifier)
    • The Honest App specifies the challenge_method=SHA256

    Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.
    • Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.
    Step 3-4: The code leaks again to the Evil App.

    Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

     PKCE Bypass via App Impersonation

    Again, PKCE binds the Auth Request to the coderedemption.
    The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

    Figure 3: Bypassing PKCE via the App Impersonation attack
    Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

    Step 2-4: These steps do not deviate from the previous description in Figure 2.

    Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

    OAuth 2.0 for Native Apps

    The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

    References

    Vladislav Mladenov
    Christian Mainka (@CheariX)
    Related word
    1. Hacker Tools Github
    2. Best Pentesting Tools 2018
    3. What Is Hacking Tools
    4. Blackhat Hacker Tools
    5. Install Pentest Tools Ubuntu
    6. Hacker Tools Online
    7. Best Hacking Tools 2019
    8. How To Install Pentest Tools In Ubuntu
    9. Pentest Tools
    10. Free Pentest Tools For Windows
    11. Hacking Tools Name
    12. Pentest Reporting Tools
    13. Game Hacking
    14. Hacker Tools Linux
    15. Hacker Tools Free
    16. Hacker Tools Hardware
    17. Hacker Tools Windows
    18. Hacking Tools 2020
    19. Hacker Tool Kit
    20. What Are Hacking Tools
    21. Easy Hack Tools
    22. Pentest Tools Subdomain
    23. Hacking Apps
    24. Hack Apps
    25. Hacking Tools Download
    26. How To Hack
    27. Hacking Tools Name
    28. Bluetooth Hacking Tools Kali
    29. Hacking Tools Github
    30. Hack Tools Download
    31. Hacker Tools Linux
    32. Hacking Tools For Beginners
    33. Hacker Tools Mac
    34. Hacking Tools Kit
    35. New Hacker Tools
    36. Hack Website Online Tool
    37. Hacking Tools For Beginners
    38. Pentest Tools Online
    39. Hacking Tools Online
    40. Nsa Hack Tools
    41. Hacking Tools For Mac
    42. Pentest Tools List
    43. Hacks And Tools
    44. Pentest Tools Framework
    45. Pentest Tools Website
    46. Hacking Tools Kit
    47. Hack Tool Apk No Root
    48. Pentest Tools Subdomain
    49. Hacker Tools Online
    50. Bluetooth Hacking Tools Kali
    51. Pentest Reporting Tools
    52. Hack Tools Github
    53. Pentest Automation Tools
    54. Hacker Tools Hardware
    55. Best Hacking Tools 2019
    56. Ethical Hacker Tools
    57. Pentest Tools Github
    58. Hacker Tools For Windows
    59. Hacker Tools For Pc
    60. Hacking Tools For Kali Linux
    61. Hack Tools For Games
    62. Hak5 Tools
    63. Pentest Tools Online
    64. Hacking Tools For Pc
    65. Easy Hack Tools
    66. Top Pentest Tools
    67. Hacker Tools Apk Download
    68. New Hacker Tools
    69. Hack App
    70. Best Hacking Tools 2019
    71. Hacking Tools Kit
    72. Best Hacking Tools 2020
    73. Pentest Automation Tools
    74. Hacking Tools For Games
    75. Hacker Tools For Windows
    76. Hack Apps
    77. Hack Tools For Games
    78. Hack Tool Apk No Root
    79. Hacking Tools And Software
    80. Hacking Tools Pc
    81. Pentest Tools For Windows
    82. Pentest Tools List
    83. Github Hacking Tools
    84. Hack And Tools
    85. Hacker Search Tools
    86. Github Hacking Tools
    87. Hacking Tools 2019
    88. What Are Hacking Tools
    89. Hacker Tools List
    90. Growth Hacker Tools
    91. Hack Tools Github
    92. Hack Tools
    93. Hacking Tools Online
    94. Hacker Security Tools
    95. What Is Hacking Tools
    96. Hack Tools Github
    97. Nsa Hacker Tools
    98. Kik Hack Tools
    99. Hack Tools For Mac
    100. Pentest Tools Download
    101. Hack Rom Tools
    102. Hacker
    103. Hack Website Online Tool
    104. Hack Apps
    105. Hack And Tools
    106. Hacking Tools Windows
    107. Pentest Tools For Android
    108. Hacker Tools Windows
    109. Pentest Recon Tools
    110. Hacker Tools List
    111. Hacker Tools Free
    112. Install Pentest Tools Ubuntu
    113. Pentest Tools Alternative
    114. Best Pentesting Tools 2018
    115. Hack Tools Mac
    116. Hack Tools Pc
    117. Android Hack Tools Github
    118. Nsa Hack Tools
    119. Pentest Recon Tools
    120. Hack Apps
    121. Pentest Tools For Ubuntu
    122. Kik Hack Tools
    123. Free Pentest Tools For Windows
    124. Hacker
    125. Nsa Hack Tools
    126. Hacking Apps
    127. Pentest Box Tools Download
    128. Hacking Tools Windows 10
    129. Hack Tools Download
    130. Pentest Tools Port Scanner
    131. Hack Tools
    132. Hacking Tools Pc
    133. Tools For Hacker
    134. Pentest Automation Tools
    135. Hacker Tools Free Download
    136. Hacking Tools Download
    137. Hacking Tools Windows 10
    138. Hacker Tools For Windows
    139. Termux Hacking Tools 2019
    140. Hacking Tools Windows 10
    141. Pentest Automation Tools
    142. Hack Tools Download
    143. Pentest Tools List
    144. Hack Apps
    145. Nsa Hacker Tools
    146. Pentest Recon Tools
    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)