Shulou(Shulou.com)05/31 Report--

Spring Security OAuth 2.3 Open Redirection vulnerability example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

In the list of spring-related vulnerabilities on cve, I saw this vulnerability at a glance-Spring Security OAuth 2.3 Open Redirection (CVE-2019-3778). As it so happened, the blogger decided to study it, searched the Internet, and couldn't find the specific analysis (probably because of the wrong posture). He wanted to write an article for record.

Vulnerability description

A malicious attacker can construct a request, send it to the endpoint authorized with the "authorization code" type, and control the jump of the URI through the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user agent to the URI controlled by the attacker, thereby revealing the authorization code. Due to the special authentication mechanism of oauth3 protocol, the vulnerability is located at Medium.

Affect the product

Spring Security OAuth 2.3 to 2.3.4

Spring Security OAuth 2.2 to 2.2.3

Spring Security OAuth 2.1 to 2.1.3

Spring Security OAuth 2.0 to 2.0.16

Older unsupported versions are also affected

Introduction to Spring Security OAuth: what is oAuth?

OAuth protocol provides a secure, open and simple standard for the authorization of user resources. Different from the previous authorization methods, the authorization of oAuth does not allow a third party to access the user's account information (such as user name and password), that is, a third party can apply for authorization of the user's resources without using the user's user name and password, so oAuth is secure.

What is Spring Security?

Spring Security is a security framework, formerly known as Acegi Security, which can provide declarative security access control for Spring enterprise applications. Based on Servlet filters, IoC, and AOP, Spring Security provides identity confirmation and authorization processing for Web requests and method calls, avoiding code coupling and reducing a lot of repetitive code work.

Usage scenarios of oAuth

Authorization Mode of oAuth Protocol

In the oAuth3.0 standard, the client must be authorized by the user (authorization grant) in order to obtain the token (access token). OAuth 2.0 defines four authorization methods:

Simplified mode

Simplified mode is suitable for pure static page applications. The so-called pure static page application means that the application does not have permission to execute the code on the server (usually hosting the code on someone else's server), only the control of the front-end JS code.

Authorization code mode

The authenticator mode is suitable for applications with their own servers, which is an one-time temporary credential in exchange for access_token and refresh_token. The authentication server provides an interface like this:

Https://www.funtl.com/exchange?code=&client_id=&client_secret=

Password mode

In password mode, the user provides his user name and password to the client. The client uses this information to ask the "service provider" for authorization. In this mode, the user must give his password to the client, but the client must not store the password. This is usually used in situations where the user has a high degree of trust in the client, such as when the client is part of the operating system.

Client mode

If the trust relationship goes further, or if the caller is a back-end module, you can use client mode when there is no user interface. The authentication server authenticates the client directly. After the verification is passed, the authentication server returns token.

The authorization process for Oauth is as follows:

Reproduce article 1. Restriction condition

Problematic version of Spring Security OAuth3

OAuth authentication uses authorization code mode

The user needs to log in

two。 Set up a target machine

(target self-built), set up two applications (client and authentication server), and enable oauth3 to do login authentication. Related materials

Https://github.com/spring-projects/spring-security-oauth/releases

Https://github.com/oktadeveloper/okta-spring-boot-authz-server-example

The target aircraft is as follows:

3. The target uses the version of oauth (the vulnerable version)

4. Check the vulnerability code

There is a problem with the obtainMatchingRedirect method in the code when checking parameters.

Package: org.springframework.security.oauth3.provider.endpoint

Class: DefaultRedirectResolver

Method: obtainMatchingRedirect

5. Test content

After the user logs in, the following request executed by CLIENT APP contains the REDIRECT_URI parameter. Just add a percent sign to trigger the redirect bypass authentication mechanism

5.1 the source request contains the following valid URI:

5.2 by modifying the redirect_uri parameter to http://www.baidu.com and sending a request, oAuth caught a problem with the authentication parameter and returned the following result

5.3 add "%" to the modified redirect_uri and send it again, as follows:

5.4 now the authentication is bypassed and the user is redirected, and the returned result is as follows:

Repair:

2.3.xusers should upgrade to2.3.5

2.2.xusers should upgrade to2.2.4

2.1.xusers should upgrade to2.1.4

2.0.xusers should upgrade to2.0.17

Older versions should upgrade to a supported branch

The crux of the problem is that when the obtainMatchingRedirect method obtains the user input redirect_url parameters, the parameter checking mechanism is not strict enough, and the special characters such as "%" are not processed, which finally leads to the emergence of this kind of bypass authentication. Therefore, I suggest that Daniel should check the parameters received from users when implementing the oauth protocol, and finally send you a sentence: Never believe users!!

This is the answer to the case analysis of Spring Security OAuth 2.3 Open Redirection vulnerabilities. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.