-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
State nonce cookie should properly be signed #153
Comments
@Hanspagh what part is the one we are missing, here is the line ueberauth/lib/ueberauth/strategy.ex Line 391 in 7ebc0ae
Is there an extra configuration we need to pass to |
The details are here: https://hexdocs.pm/plug/Plug.Conn.html#put_resp_cookie/4-signing-and-encrypting-cookies I have been looking into the security exploitations of this vulnerability. If the cookie is not signed, then I believe you are setting the users of this library open to a callback url attack, and allow the attacker to impersonate any user. The assumption of the security of the state-param is based on your believe that:
When all is well, you decode the JWT tokens and extract the various values of the oauth providers; which allows you to get email address of a user If this cookie value is not properly signed; then your security falls apart by realizing that a malicious attacker will only adhere to point 3. The malicious attacker is NOT using a browser but rather a command line tool such as curl; allowing him to spoof any value occurring in the params of a request to:
According to Ueberauth, this request is now authenticated and the attacker will have access to a cookie or a JWT that the website in question will take at face value and thereby gives full unrestricted access to the malicious attacker. The only saving grace here would be if Is this the case? I have not dug any further. However, security should be layered; so ensuring that the cookie is properly signed would help guarantee that the issuer of that cookie was the signer of that cookie. |
Reading auth0.com/docs/secure/attack-protection/state-parameters it is suggested that the state once for CFSF protected in stored in a signed cookie, to my understanding this is not the case at the moment.
The text was updated successfully, but these errors were encountered: