Christian Mainka

Christian Mainka, Vladislav Mladenov, Jörg Schwenk

Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues.

Marcus Niemietz, Mario Korth, Christian Mainka et al.

Nearly every second website is using a Content Management System (CMS) such as WordPress, Drupal, and Joomla. These systems help to create and modify digital data, typically within a collaborative environment. One common feature is to enrich their functionality by using extensions. Popular extensions allow developers to easily include payment gateways, backup tools, and social media components. Due to the extended functionality, it is not surprising that such an expansion of complexity implies a bigger attack surface. In contrast to CMS core systems, extensions are usually not considered during public security audits. However, a Cross-Site Scripting (XSS) or SQL injection (SQLi) attack within an activated extension has the same effect on the security of a CMS as the same issue within the core itself. Therefore, vulnerabilities within extensions are a very attractive tool for malicious parties. We study the security of CMS extensions using the example Joomla; one of the most popular systems. We discovered that nearly every second installation of such a system also includes Joomla's official top-10 rated extensions as a per se requirement. Moreover, we have detected that every single extension of the official top-10 rated extensions is vulnerable to XSS and 30% of them against SQLi. We show that our findings are not only relevant to Joomla; two of the analyzed extensions are available within systems like WordPress or Drupal, and introduce the same vulnerabilities. Finally, we pinpoint mitigation strategies that can be realized within extensions to achieve the same security level as the core CMS.

Vladislav Mladenov, Christian Mainka, Jörg Schwenk

OAuth is the new de facto standard for delegating authorization in the web. An important limitation of OAuth is the fact that it was designed for authorization and not for authentication. The usage of OAuth for authentication thus leads to serious vulnerabilities as shown by Zhou et. al. in [44] and Chen et. al. in [9]. OpenID Connect was created on top of OAuth to fill this gap by providing federated identity management and user authentication. OpenID Connect was standardized in February 2014, but leading companies like Google, Microsoft, AOL and PayPal are already using it in their web applications [1], [2], [3], [30]. In this paper we describe the OpenID Connect protocol and provide the first in-depth analysis of one of the key features of OpenID Connect: the Discovery and the Dynamic Registration extensions.We present a new class of attacks on OpenID Connect that belong to the category of second-order vulnerabilities. These attacks consist of two phases: First, the injection payload is stored by the legitimate application. Later on, this payload is used in a security-critical operation. Our new class of attacks - called Malicious Endpoints attacks - exploits the OpenID Connect extensions Discovery and Dynamic Registration. These attacks break user authentication, compromise user privacy, and enable Server Side Request Forgery (SSRF), client-side code injection, and Denial-of-Service (DoS). As a result, the security of the OpenID Connect protocol cannot be guaranteed when these extensions are enabled in their present form. We contacted the authors of the OpenID Connect and OAuth specifications. They acknowledged our Malicious Endpoint attacks and recognized the need to improve the specification [29]. We are currently involved in the discussion regarding the mitigation of the existing issues and an extension to the OAuth specification.