Skip to main content


Showing posts from 2015

Small subgroup attack in Mozilla NSS

tl;dr While the TLS servers attacks has been pretty much studied and fixed (see e.g. and the situation with the TLS clients is (was) not ideal and can be improved. Here I report a Small subgroup attack for TLS clients that I performed against various browsers and reported.

Whoever reads this blog is used to read about OAuth .
For once (and maybe more in the future) let's hijack the usual topic and let's talk about my new "passion" : TLS in particular Diffie–Hellman (DH from now on).

Now, before to start I need to clarify one thing IANAC (I am not a cryptographer) so I might likely end up writing a bunch of mistakes in this blog post...

Diffie-Hellman is used in SSL/TLS, as "ephemeral Diffie-Hellman" (EDH) and it is probably going to be kill soonish (or at least is the intent of Google Chrome). FWIW I personally agree with this unless EDH implements the Negotiated Finite Field specification.

Now in the…

Top 10 OAuth 2 Implementation Vulnerabilities

Some time ago I posted a blogpost abut  Top 5 OAuth 2 Implementation Vulnerabilities.
This week I have extended the list while presenting Top X OAuth 2 Hacks at OWASP Switzerland.

This blog post (like the presentation) is just a collection of interesting attack OAuth related.

#10 The Postman Always Rings Twice  I have introduced this 'attack' in last year post . This is for provider implementer, it is not extremely severe but, hey, is better to follow the spec. Specifically

The client MUST NOT use the authorization code  more than once.  If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.

It turned out that even Facebook and Googledid it wrong... :)

#9 Match Point To all OAuth Providers be sure to follow section 4.1.3 of the spec in particular

...if the "redirect_uri" parameter was included in the initial authorization requ…

A Quick Glance at Modern Browsers's Protection Part #1

tl;dr in this blog post we are going to give a look at modern browsers's protection with some hands on example available at and deployed in Heroku. This blog post is NOT about Same-origin policy
Introduction In this blog post we are going to give a look at modern browsers's protection. More specifically if you are designing a REST API where the result response is driven by some user input, then why not have some help from the browser rather than brewing some ad hoc protection? I am going to provide some demo deployed in Heroku . If you prefer running them on your machine you might want to clone and drill down into the specific example. Mind your content type By definitionContent-Type entity-header field indicates the media type of the entity-body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent had the request been a GET.  It turns…

On (OAuth) token hijacks for fun and profit part #2 (Microsoft/xxx integration)

In a previous blogpost we have already analyzed a token hijack on one OAuth integration between some Microsoft and Google service and seen what went wrong.
Now it is time to see yet another integration between Microsoft and xxxx (unluckily I can't disclose the name of the other company due the fact the haven't still fixed a related issue...) and see some fallacy.
But before to focus on the attack we might need a bit of introduction.

HTTP referrer
An HTTP referrer (misspelled as referer in the spec) is a special HTTP header field that browsers (and http clients in general) attach when surfing from a page to another. In this way the new webpage can see where the request originated. One extra thing to point out is that as per section 15.1.3 (Encoding Sensitive Information in URI's) of HTTP RFC [RFC 2616]:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

This is summarized in the image…

Apple Safari URI spoofing (CVE-2015-5764)

tl;dr Apple Safari for OS X was prone to URI spoofing vulnerability  (and more general a user interface spoofing). Apple released security updates for Safari 9 on OS X and assigned CVE-2015-5764. Accidentally this vulnerability was also present in iOS.

Instant demo In Safari up to 8.0.8 :
go to "click me!"notice the address bar being "data:text/html,%3CH1%3EHi!!%3C/H1%3E"go back using the browser buttonclick "click me!"notice the address bar being !!!! 
Well this looks a clear caching problem to me, right :) ?

The Introduction (Oldie but goldie) Several months ago (almost a year!!) I was reading the great book written by lcamtuf (aka Michal Zalewski) named The Tangled Web .  I know, I know I was a bit late for the party :)
Said that, this book contained a really interesting Chapter (for the record Chapter 10) that is dedicated almost entirely to pse…

New OAuth book: OAuth 2 in Action

Justin Richer and myself have been writing a book about OAuth.

It gives a deep look at the OAuth 2.0 protocol including hands on examples and practical implementation vulnerabilities to avoid. You can preorder the book today or you can download the first chapter for free on the publisher’s website:

Happy reading!!

p.s. for the next few days, you can order it at half-off with the code mloauth2

Apple Safari SOP bypass (CVE-2015-3753)

Damien Antipa and me love browser security.
Hence we always keep up to date on what is going on this field.
Few months ago Christian Schneider blogged about Chrome SOP Bypass with SVG. We decided to poke some other browser using the same technique and the outcome was CVE-2015-3753.

The SOP-bypass for images works with Safari up to 8.0.7

We were able indeed to bypass the SOP for images served with 302 and with the data protocol (e.g. data:image/png;base64) and exfiltrate the image. You can find the detail of the issue in the mentioned blog post from Christian (our attack did not make use of the browser cache though)

Step to reproduce with Safari 8.0.7 :

Open the attacker page of the contained image are sop/sop

- click "exploit step 1" (this is just an intermediate step to load the image)
- click "exploit step 2" and appreciate the exfiltrated image in the alert message (substring) and the full one in the console…

On (OAuth) token hijacks for fun and profit part #1 (Google/Microsoft integration)

Here we go again....
I have already blogged about (OAuth) token hijacks [1][2] , but hey, things happens and re-happens :)
In the past I had mainly focused my attention on Authorization Servers weakness. As the cited Facebook's vulnerable regex pattern matching for redirect_uri.
It turns out that also OAuth client can screw things up and leak token (or authorization codes).
So here is the tl;dr:

If you are building an OAuth client,   Thou shall register a redirect_uri as much as specific as you can
i.e. if your OAuth client callback is then

DO register JUST or The main reason behind this is that sometimes Authorization Server (AS) use exotic and unexpected redirect_uri validation policies.
As mentioned in some previous post the ONLY safe validation method the Authorization Server should adopt is exact …

So, you wanna crypto (in AEM)

So another year passed by and I will talk (again , ...) at the Connect WE conference. This year with Damien Antipa we will have a speech entitled So, you wanna crypto (in AEM). Now, is true that even symmetric encryption isn't a “solved problem” but hey we still need to protect information et al :) Now is probably well known that messing up with cryptography isn't that hard :p Luckily Adobe Experience Manager (AEM) offers a great suite of cryptography capabilities as : Encryption and decryption APIIntegrity protection APIKey pair generationTrustStore/KeyStore support In this talk we will show how to use those low level building crypto building blocks to solve scalability and resilience problems i.e. improving the efficiency of load balancing with horizontal scalability  and providing a transparent stateless CSRF framework.