Re: [OAUTH-WG] DPoP: Threat Model

2020-05-05 Thread Denis
Hi Daniel, Rather than answering between the lines, I place a global answer in front of your message. Depending upon the content of the JWT, two different collaborative attacks need to be considered, one of them being an impersonation attack which can indeed be performed using Teamviewer.

Re: [OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Philippe De Ryck
On 4 May 2020, at 21:44, Daniel Fett wrote: > > Am 04.05.20 um 21:27 schrieb Philippe De Ryck: >> (https://beefproject.com ) rather than exfiltrating tokens/proofs. >>> As a sidenote: BeEF is not really XSS but requires a full browser >>> compromise. >>>

Re: [OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Daniel Fett
Am 04.05.20 um 21:27 schrieb Philippe De Ryck: > >>> (https://beefproject.com ) rather than >>> exfiltrating tokens/proofs. >> >> As a sidenote: BeEF is not really XSS but requires a full browser >> compromise. >> > > No, it’s not. The hook for BeEF is a single JS file,

Re: [OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Philippe De Ryck
>> (https://beefproject.com ) rather than >> exfiltrating tokens/proofs. > As a sidenote: BeEF is not really XSS but requires a full browser compromise. > No, it’s not. The hook for BeEF is a single JS file, containing a wide variety of attack payloads that can be

Re: [OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Daniel Fett
Am 04.05.20 um 19:54 schrieb Neil Madden: > I mentioned another one in my recent email - BREACH attacks against > HTTP compression being used to steal access tokens in transit. Excellent point, I added that one. > > There’s a variant of the online XSS attacks in which the attacker just > proxies

Re: [OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Daniel Fett
Hi Denis, We discussed these kinds of collusion attacks at great length previously on this list. My views on them have not changed. Am 04.05.20 um 20:06 schrieb Denis: > As soon as a software solution would be available to perform this > collaborative attack, everybody would be able to use it.

Re: [OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Denis
Hi Daniel, Yes indeed. For another attack, please see my email sent to the list on 01/05/2020 at 10:47 (Paris time). The subject was: DPoP draft-ietf-oauth-dpop-0 Client collaborative attacks. When the JWT does not contain a sufficient number of attributes that would allow to identify the

Re: [OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Neil Madden
I mentioned another one in my recent email - BREACH attacks against HTTP compression being used to steal access tokens in transit. There’s a variant of the online XSS attacks in which the attacker just proxies requests through the victim’s browser (https://beefproject.com

[OAUTH-WG] DPoP: Threat Model

2020-05-04 Thread Daniel Fett
Hi all, as mentioned in the WG interim meeting, there are several ideas floating around of what DPoP actually does. In an attempt to clarify this, if have unfolded the use cases that I see and written them down in the form of attacks that DPoP defends against: