PKCE: What Can(Not) Be Protected

This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.

At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.

In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow

In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 

Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).

• The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].

Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.

• Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

Proof Key for Code Exchange - PKCE (RFC 7636)

Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.

Figure 2: PKCE - RFC 7636 

Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:

• The Honest App generates a random string called code_verifier
• The Honest App computes the code_challenge=SHA-256(code_verifier)
• The Honest App specifies the challenge_method=SHA256

Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.

• Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.

Step 3-4: The code leaks again to the Evil App.

Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

 PKCE Bypass via App Impersonation

Again, PKCE binds the Auth Request to the coderedemption.

The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

Figure 3: Bypassing PKCE via the App Impersonation attack

Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

Step 2-4: These steps do not deviate from the previous description in Figure 2.

Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

OAuth 2.0 for Native Apps

The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

References

[1] http://mews.sv.cmu.edu/papers/ccs-14.pdf

[2] https://tools.ietf.org/html/draft-ietf-oauth-native-apps-06#section-8.1

[3] https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

Authors

Vladislav Mladenov
Christian Mainka (@CheariX)

More articles

• Hack Tools For Ubuntu
• Pentest Tools Windows
• Hacking Tools For Games
• What Is Hacking Tools
• Hack Tools For Games
• Kik Hack Tools
• Hack Website Online Tool
• Termux Hacking Tools 2019
• Hacking Tools For Kali Linux
• Pentest Box Tools Download
• Nsa Hack Tools
• Hackers Toolbox
• Pentest Tools Port Scanner
• Hacker Tools List
• Hack Tools Download
• Hacking Tools For Beginners
• Hacker Tools For Pc
• Hacking Tools Windows 10
• Hack Website Online Tool
• Hack Tools
• World No 1 Hacker Software
• Hacking Tools Online
• Easy Hack Tools
• Hacking Tools For Windows Free Download
• Hack Tool Apk No Root
• Pentest Tools List
• Pentest Tools Open Source
• Pentest Tools Online
• Pentest Reporting Tools
• Pentest Tools Download
• Hacker Tools For Pc
• Wifi Hacker Tools For Windows
• Bluetooth Hacking Tools Kali
• Pentest Tools For Mac
• Hack Tools Pc
• Hack Rom Tools
• Hacking Tools Kit
• Hacker Tools Free
• Nsa Hack Tools
• Hacking Tools Github
• What Are Hacking Tools
• Wifi Hacker Tools For Windows
• Pentest Tools Nmap
• Hacker Tools Free
• Hacking Tools Usb
• Pentest Tools Bluekeep
• Hack Tools For Ubuntu
• Hacker Tools Software
• Hacking Tools For Beginners
• Pentest Tools Kali Linux
• Hack Tools For Ubuntu
• Hacker Tools Online
• Hacker Tools For Windows
• Hacker Tools For Ios

Ophcrack

" Ophcrack is an open source (GPL license) program that cracks Windows LM hashes using rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. There is also a Live CD version which automates the retrieval, decryption, and cracking of passwords from a Windows system. Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers. These tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. Larger rainbow tables (for LM hashes of passwords with all printable characters, including symbols and space) are available for purchase from Objectif Securité. Starting with version 2.3, Ophcrack also cracks NT hashes. This is necessary if generation of the LM hash is disabled (this is default on Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored)." read more...

Website: http://ophcrack.sourceforge.net

Related posts

1. Hacks And Tools
2. Hacking Tools Pc
3. Hacker Tools Github
4. Hacker Tools Linux
5. Kik Hack Tools
6. Pentest Tools For Android
7. Hacker Tools Windows
8. Hacking Tools Software
9. Game Hacking
10. Wifi Hacker Tools For Windows
11. How To Install Pentest Tools In Ubuntu
12. Hack App
13. Usb Pentest Tools
14. Hack Tools For Games
15. Hacking Tools Free Download
16. Pentest Tools Website
17. Hacker Tools 2020
18. Physical Pentest Tools
19. Hack App
20. Hacker Tools Free
21. Hacking Tools For Pc
22. Hacking Tools Free Download
23. Hack Tool Apk No Root
24. Hacker Hardware Tools
25. Hack Tools
26. How To Make Hacking Tools
27. Hacking Tools Software
28. Hacking Tools Online
29. Game Hacking
30. Hacker Tools For Pc
31. Pentest Automation Tools
32. Hack Tool Apk
33. Pentest Tools Bluekeep
34. How To Make Hacking Tools
35. Hacking Tools Free Download
36. Hacks And Tools
37. Hacker Search Tools
38. Github Hacking Tools
39. Pentest Tools Open Source
40. Free Pentest Tools For Windows
41. Pentest Tools Linux
42. Hacking Apps
43. Usb Pentest Tools
44. Nsa Hacker Tools
45. Hacker Tools Apk
46. Hacking Tools And Software
47. Hacker Tools Free
48. Hacker Tools Apk
49. Hack Rom Tools
50. New Hacker Tools
51. Pentest Tools Website Vulnerability
52. Hacker Tools Free Download
53. Pentest Tools Nmap
54. Pentest Tools Download
55. Hack App
56. Pentest Tools For Android
57. Underground Hacker Sites
58. Nsa Hacker Tools
59. Hacking Tools 2019
60. Easy Hack Tools
61. Hacking App
62. Pentest Recon Tools
63. Growth Hacker Tools
64. Hacker Tools List
65. Hacker Tools For Windows
66. Pentest Tools Subdomain
67. Hacker Tools Software
68. Hack Tools 2019
69. What Are Hacking Tools
70. How To Hack
71. Hack Tools Download
72. Pentest Tools Framework
73. Hacker Security Tools
74. How To Make Hacking Tools
75. Termux Hacking Tools 2019
76. Top Pentest Tools
77. Hacking Tools Download
78. Hacking Tools 2020
79. Hacking Tools For Windows Free Download
80. Hacker Tools List
81. Ethical Hacker Tools
82. Pentest Automation Tools
83. Pentest Tools
84. Hacking Tools Software
85. Hacking Tools Free Download
86. Hacker Tools Free Download
87. Hacker Tools Windows
88. How To Make Hacking Tools
89. Hacker Tools Linux
90. Hack Tools 2019
91. Game Hacking
92. Hacker Tools Hardware
93. Hacking Tools For Windows Free Download
94. Hacker Tools Mac
95. Hacker Tools Apk
96. What Is Hacking Tools
97. How To Install Pentest Tools In Ubuntu
98. Blackhat Hacker Tools
99. Pentest Tools Bluekeep
100. Hackrf Tools

DOWNLOAD BLACK STEALER V2.1 FULL

BLACK STEALER V2.1 FULL

Black Stealer v2.1 is an advanced keylogger that can steal even saved passwords from the browsers and sends through Email and FTP. It's really easy to the crypt. Keylogger is a computer program that is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard by the user, especially in order to gain unauthorized access to the passwords and other confidential information. It's also called a keystroke logger or system monitor. Download black stealer v2.1 full.

DOWNLOAD BLACK STEALER V2.1 FULL

Related articles

1. Hacking Tools Name
2. Pentest Tools Linux
3. Physical Pentest Tools
4. Underground Hacker Sites
5. New Hack Tools
6. Hack Tools For Mac
7. Pentest Tools List
8. Hack Tools For Ubuntu
9. Pentest Reporting Tools
10. Wifi Hacker Tools For Windows
11. How To Make Hacking Tools
12. Hacker Tools Github
13. Best Hacking Tools 2020
14. Hacking Tools Pc
15. Physical Pentest Tools
16. Hak5 Tools
17. Hacker Tools Hardware
18. Hacker Tools For Windows
19. Blackhat Hacker Tools
20. World No 1 Hacker Software
21. Wifi Hacker Tools For Windows
22. Tools 4 Hack
23. Bluetooth Hacking Tools Kali
24. Hackers Toolbox
25. Hacking Tools Github
26. Pentest Tools Windows
27. Pentest Box Tools Download
28. Termux Hacking Tools 2019
29. Computer Hacker
30. Pentest Tools Website Vulnerability
31. Hacker Tools Apk
32. Hacker Tools Mac
33. Pentest Tools Port Scanner
34. Pentest Tools Website
35. Hacker Tools Github
36. Hacking Tools 2019
37. Hacker Tools Apk
38. Hacking Tools Download
39. Hacking Tools Pc
40. Pentest Tools Apk
41. Install Pentest Tools Ubuntu
42. Blackhat Hacker Tools
43. Game Hacking
44. Pentest Tools
45. Pentest Tools For Windows
46. Wifi Hacker Tools For Windows
47. Pentest Tools Nmap
48. Hacks And Tools
49. Hacker Hardware Tools
50. Pentest Tools
51. Hacker Tool Kit
52. Hack Tools For Mac
53. Hacker Search Tools
54. Hacking Tools 2020
55. Hacker Tools Github
56. Hacking Tools Free Download
57. Tools 4 Hack
58. Hacker Hardware Tools
59. Hack Tools Pc
60. Pentest Box Tools Download
61. Pentest Tools For Android
62. Android Hack Tools Github
63. Hacker Tools For Pc
64. Hack Tools Download
65. Hack Tools For Ubuntu
66. Bluetooth Hacking Tools Kali
67. Hacking Tools 2019
68. Pentest Tools For Ubuntu
69. Pentest Tools Github
70. Hacking Tools Kit
71. Pentest Tools Url Fuzzer
72. Hacking Apps
73. Hacker Tools
74. Pentest Automation Tools
75. Tools 4 Hack
76. Pentest Box Tools Download
77. Pentest Tools Tcp Port Scanner
78. Growth Hacker Tools
79. Hacking Tools Download
80. Pentest Tools Review
81. Growth Hacker Tools
82. Hacker Tools
83. Hacker Tools Mac
84. Hacker Tools Windows
85. New Hack Tools
86. Pentest Tools Review
87. Pentest Reporting Tools
88. Hacking Tools Pc
89. Hacker Security Tools
90. Pentest Box Tools Download
91. Hack App
92. Game Hacking
93. Hacking Tools And Software
94. Hack Tools Download
95. Hacking Tools Pc
96. Free Pentest Tools For Windows
97. Hacker Tools Mac
98. Pentest Tools For Mac
99. Hacking Tools 2020
100. Hack Rom Tools
101. Hack Tools Github
102. Hack Tools Github
103. Hacking Tools Pc
104. Hacking Tools Windows 10
105. Pentest Tools Alternative
106. Pentest Tools For Mac
107. Bluetooth Hacking Tools Kali
108. Hacker Tools Free
109. Pentest Tools List
110. Hacking Tools 2020
111. Hacking Tools Name
112. Kik Hack Tools
113. Hacking Tools Mac
114. Hacking Tools Pc
115. Termux Hacking Tools 2019
116. Hacking Tools Windows
117. Hacking Tools For Windows 7
118. Nsa Hacker Tools