Issue 91: Homograph OAuth bypass 🌏, common JWT mistakes, ReDos attacks

OAuth2 implementation can be tricky. SEMrush has fixed an OAuth redirect_uri bypass reported by Yassine Aboukir.

The problem was in how SEMrush handled international domain names (IDN). IDNs can include non-Latin characters that might look similar or even identical to Latin ones. For example, the Cyrillic е looks exactly like the English e, but it is actually a completely different character.

In the case of SEMrush, the vulnerability was that their code did not differentiate non-Latin characters from Latin ones. Instead, homographs, such as sémrush, sêmrush, sèmrûsh, or šemrush, were considered to be identical to semrush.

Thus, attackers could register a domain like oauth.šemrush.com (or oauth.xn--emrush-9jb.com) and make an OAuth call where the redirect_uri parameter was set to their domain. The system accepted this just fine and the redirect took the user to the attackers’ domain (oauth.šemrush.com), not the vendor one (oauth.semrush.com).

Be careful when you implement OAuth2: use well-established and trusted solutions, and make sure that your validation for strings is strict.

JSON Web Token (JWT) security has been a recurring theme in this newsletter. For example, see the JWT security videos in issue 72, or check out the JWT toolkit in issue 88. Not to abandon a good theme, this week we have a recent summary of the recurring issues with JWT.

Vasilii Ermilov from R2C has analyzed 2,000 node package manager (npm) modules for  different JWT security implementation flaws. The following is the list he compiled on the JWT mistakes that cropped up most often:

• Hardcoded secrets
• Allowing the none algorithm for signing
• Incorrectly verified tokens (or no verification at all)
• Sensitive data exposure

Ermilov provides code examples for each of these mistakes, as well as rules to catch these issues with his company’s tool, Semgrep.

Regular expressions (regex) are a common way to define string parameter patterns for API inputs. However, the regex language is extremely flexible, and can easily be abused to create expressions that require enormous amounts of memory and compute power to evaluate. Such attacks are known as Regular Expressions Denial of Service (ReDoS).

James Davis has put together a cheat-sheet for ReDos attacks and how to mitigate them. A good resource to check out!

OAuth2 and OpenID Connect (OIDC) continue to be misunderstood and misimplemented, which leads to API vulnerabilities.

Philippe De Ryck has made his course  “Introduction to OAuth 2.0 and OpenID Connect” available online for free (registration required).

The curriculum of the course includes:

• OAuth2.0 and OIDC concepts
• Using OAuth 2.0 with backend web clients
• Introduction to OIDC
• Mobile and native clients
• Frontend web clients
• Additional flows