Shulou(Shulou.com)05/31 Report--

OAuth abuse attack detection and response platform PwnAuth how to understand, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Background

Spear phishing attack is regarded as one of the biggest network threats to enterprises. As long as an employee carelessly enters his credentials, or runs some unknown malware, the entire enterprise network may be controlled by the attacker, or even paralyzed. As a result, companies often choose to invest a lot of resources to prevent certificate collection and payload-driven social engineering attacks. However, not enough attention has been paid to the abuse of OAuth, a non-traditional but equally dangerous social engineering method. In an OAuth abuse attack, the victim authorizes third-party applications to access their accounts. Once authorized, the application can access the user's data without requiring credentials and bypassing any two-factor authentication that may exist.

Introduction to OAuth

OAuth 2.0 is described as "an open protocol that allows security authorization from Web, mobile, and desktop applications in a simple and standard way." It has become a de facto agreement for major Internet companies such as Amazon, Google, Facebook and Microsoft to promote authorization of third-party applications to access user data. An application that accesses Microsoft OneDrive for easy file sharing is a good example of OAuth utilization.

Let's take an application that accesses OneDrive as an example to define some roles in the OAuth authorization process

Application or client (Client)

The third-party application that requests access. In this case, the application that wants to access your OneDrive file is the client (Client).

API "Resources (Resource)"

The target application that the customer wants to access. In this case, the Microsoft OneDrive API endpoint is Resource (Resource).

"Resource owner (Resource Owner)"

A person who is allowed to access some of his or her account. In this case, it's you.

Authorization server

The authorization server provides an interface that the resource owner uses to agree or reject. The server can be the same as API resources or different components. In this case, the Microsoft login portal is the "authorization server".

Range

The scope is defined as the type of access requested by a third-party application. Most API resources will define a set of scopes that the application can request. This is similar to the permissions requested by Android mobile apps when they are installed. In this example, the application may request access to your OneDrive file and user profile.

OAuth 2.0 provides several different authorization "grant types" to better meet the different applications with which users interact. Here we will further explain the "authorization code" grant type, which is used by Web applications that implement OAuth. The following is an example of the authorization process:

1. Create an agree link that directs the resource owner to the authorization server by identifying the parameters of the application and the scope of the request.

Https://login.microsoftonline.com/auth?response_type=code&client_id=123456789&redirect_uri=https%3A%2F%2Fexample-app.com%2Fcallback&scope=mail.read+offline_access

two。 The resource owner will receive an authorization prompt indicating the application name and the scope of the request. The resource owner can choose to approve or reject this authorization request.

3. Once the consent is selected, the authorization server redirects the application using the authorization code.

HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache {"access_token": "aMQe28fhjad8fasdf", "token_type": "bearer", "expires_in": 3600, "refresh_token": "OWWGE3YmIwOGYzYTlmM2YxNmMDFkNTVk", "scope": "mail.read+offline_access"}

4. The application can then use the authorization code and request an access token from the authorization server. The access token can be used for a set period of time to access the user's data from the API resource without any further action by the resource owner.

OAuth abuse spread

OAuth applications provide an ideal carrier for attackers to attack targets and obtain confidential data such as e-mails, contacts and files. An attacker may create a malicious application and use the acquired access token to retrieve the victim's account data through the API resource. Access tokens do not need to know the user's password and can easily bypass any two-factor authentication protection. In addition, the only way to remove access to an attacker is to explicitly revoke access to the OAuth application. In order to obtain OAuth tokens, attackers need to use social engineering methods to persuade the victim to click on the "agree link" and approve the application. Because all victim interactions are on sites owned by legitimate resource providers, such as Microsoft, it is often difficult for users without professional security training to tell whether OAuth applications are legitimate.

Although it may not be the first of its kind, the abuse of OAuth first attracted media attention during the 2016 presidential election. In our 2017 M-TRENDS report, FireEye wrote about how APT28 abused OAuth to obtain e-mails from American politicians. Since then, FireEye has discovered that the technology is spreading to merchandise and trying to spread it on Gmail.

PwnAuth

PwnAuth is a Web application framework I wrote, which is a platform for organizations and penetration testers to test their ability to detect and respond to OAuth abuse of social engineering activities. The Web application provides an easy-to-use UI for penetration testers to manage malicious OAuth applications, store collected OAuth tokens, and interact with API resources. By creating modules, the application user interface and framework can be easily extended to other API resources. While any cloud environment that allows OAuth applications can be targeted, PwnAuth currently uses a module to support malicious Office 365 applications that capture OAuth tokens and interact with Microsoft Graph API using the captured tokens. The Office 365 module itself can be further extended, but currently provides the following functions:

Read email

Search the user's mailbox

Read the user's contact

Download messages and attachments

Search OneDrive and download files

Send messages on behalf of the user

The interface design of PwnAuth is very intuitive and friendly. The first step in using PwnAuth is to create a Microsoft application. This information must be entered into PwnAuth (figure 1).

After the configuration is complete, you can use the generated "authorized URL" to fish potential victims. Once the target user clicks, PwnAuth will capture their OAuth token. An example of the victim list (figure 2).

Once PwnAuth has captured the victim's OAuth token, you can start accessing their data. For example, use PwnAuth to query the victim's mailbox for all messages containing the string "password" (figure 3).

For more information about using, see GitHub wiki.

Mitigation measures

Our FireEye technology stack includes web-based signatures to detect potentially malicious OAuth license URL. Attackers tend to include certain ranges in malicious applications that can be detected and marked. Social engineering training institutions can add OAuth abuse to their existing training programs so that users can better understand and protect themselves. In addition, as an enterprise, further measures can be taken to limit the potential impact of malicious OAuth applications and improve their detection capabilities. The options available to enterprises vary widely depending on API resources, but typically include:

Limit the scope of API that third-party applications can request.

Organizations that disable third-party applications in the enterprise with Cloud App Security can use the Application permissions feature to query and block third-party applications.

Implement a whitelist or blacklist for the application.

Query enterprise users for all agreed applications.

Record all user consent events and report suspicious activity.

Office 365 provides some options specifically for administrators:

Enterprises with Cloud App Security can use the Application permissions feature to query and block third-party applications.

Administrators can block access to third-party applications.

Administrators can take action if they believe that malicious applications are granted access to the account.

The unified audit log records when the user agrees to a third-party application; however, specific scope and application information is not recorded in the log.

I created a set of scripts to help administrators search for malicious OAuth applications in the cloud. There is currently a script available for Office 365, and I plan to add more cloud environments in the future.

After reading the above, have you mastered how to understand the OAuth abuse attack detection and response platform PwnAuth? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.