Session hijack vulnerability in oxAuth's implementation of front/back channel logout

By: Doug Harris named 28 Aug 2020 at 1:22 p.m. CDT

7 Responses
Doug Harris gravatar
This is a more in-depth follow-up of the issue I raised in ticket #8359 The OpenID Connect Front Channel Logout specification defines the notion of a [Session ID](https://openid.net/specs/openid-connect-frontchannel-1_0.html#Terminology): >String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier. This Session ID is passed back and forth between the OP and RP in a number of protocol exchanges, either using a `session_id` query parameter, or else as a `sid` claim within an ID Token or a Logout Token. Like any normal web application, oxAuth maintains a session with the user-agent using a [session token](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-properties) stored in a browser cookie. Perhaps due to an unfortunate choice of names, the cookie oxAuth uses to store its session token is also called `session_id`. This may have led to a misconception that the session token used to maintain a stateful browser session is the same thing as the Session ID used by RPs to perform backchannel/frontchannel logout. This seems to be the case with oxAuth today, but it must not be, for important security reasons. *I have to place some fault on the OpenID Foundation for choosing the term "Session ID". The SAML specifications use a much better name: "Session Index".* When oxAuth, as an OP, discloses the value of its session token to an untrusted RP (either in a `session_id` query parameter or `sid` claim), that RP is now able to [hijack](https://owasp.org/www-community/attacks/Session_hijacking_attack) the user's browser session at the OP, which in turn could allow them to establish new sessions at other RPs (via Single Sign-On). This is a *Very Bad Thing*. We are in the very early stages of our roll-out, and have been able to mitigate this vulnerability by blocking the disclosure using the web server (effectively disabling this feature of the front-channel logout spec). Our medium term requirement is to fully support both front-channel and back-channel logout, so we would really appreciate seeing a different value used for the logout Session ID than the one used for maintaining the browser session. Cheers, -Doug
Rhel 7.0
closed

Answers

By Michael Schwartz Account Admin 28 Aug 2020 at 2:04 p.m. CDT

Copy
Michael Schwartz gravatar
Another good find. We'll look into this and patch for 4.2.1

By Yuriy Zabrovarnyy staff 31 Aug 2020 at 3:06 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Thanks for nice report. It will be fixed in https://github.com/GluuFederation/oxAuth/issues/1458

By Yuriy Zabrovarnyy staff 01 Sep 2020 at 10:41 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Issue was fixed in 4.2.1. War file can be found here: https://ox.gluu.org/maven/org/gluu/oxauth-server/4.2.1-SNAPSHOT/oxauth-server-4.2.1-SNAPSHOT.war

By Doug Harris named 21 Oct 2020 at 3:48 p.m. CDT

Copy
Doug Harris gravatar
Reopening, as the fix seems to have only addressed the `sid` claim, and not the `session_id` query parameter. The value of the `session_id` query parameter is still being set the same as the session token (`session_id` cookie). It needs to match the value of `sid`. E.g. [here](https://github.com/GluuFederation/oxAuth/blob/5f10aafa1fd829fee41f08d0ea1541facdbbad60/Server/src/main/java/org/gluu/oxauth/service/AuthenticationService.java#L730), [here](https://github.com/GluuFederation/oxAuth/blob/5f10aafa1fd829fee41f08d0ea1541facdbbad60/Server/src/main/java/org/gluu/oxauth/session/ws/rs/EndSessionRestWebServiceImpl.java#L253-L263), ...

By Yuriy Zabrovarnyy staff 22 Oct 2020 at 1:42 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Hi Doug, Issue is fixed in 4.2.2. By default only `sid` is returned. In 4.2.2 it's still possible to return `session_id` if set `sessionIdRequestParameterEnabled` to true. It is false by default. Would you please validate it based on this war ? https://ox.gluu.org/maven/org/gluu/oxauth-server/4.2.2-SNAPSHOT/oxauth-server-4.2.2-SNAPSHOT.war Thanks, Yuriy Z

By Doug Harris named 27 Oct 2020 at 9:28 a.m. CDT

Copy
Doug Harris gravatar
Hi Yuriy; Sort it took a while to get back to you. I've confirmed that the new 4.2.2 snapshot war does look to be behaving as it should. I only get the sid query parameter with the correct value now. Thanks, -Doug

By Yuriy Zabrovarnyy staff 27 Oct 2020 at 10:14 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Thanks for validation!

Post an answer