Issue 91: Homograph OAuth bypass, common JWT mistakes, ReDos attacks

July 9, 2020

This week, we check out the recent OAuth bypass at SEMrush, common JWT implementation mistakes and the Semgrep tool, regular expression denial of service (DoS) attacks, and a new online course on OAuth2 and OpenID Connect.

Vulnerability: SEMrush

OAuth2 implementation can be tricky. SEMrush has fixed an OAuth redirect_uri bypass reported by Yassine Aboukir.

The problem was in how SEMrush handled international domain names (IDN). IDNs can include non-Latin characters that might look similar or even identical to Latin ones. For example, the Cyrillic е looks exactly like the English e, but it is actually a completely different character.

In the case of SEMrush, the vulnerability was that their code did not differentiate non-Latin characters from Latin ones. Instead, homographs, such as sémrush, sêmrush, sèmrûsh, or šemrush, were considered to be identical to semrush.

Thus, attackers could register a domain like oauth.šemrush.com (or oauth.xn--emrush-9jb.com) and make an OAuth call where the redirect_uri parameter was set to their domain. The system accepted this just fine and the redirect took the user to the attackers’ domain (oauth.šemrush.com), not the vendor one (oauth.semrush.com).

Be careful when you implement OAuth2: use well-established and trusted solutions, and make sure that your validation for strings is strict.

Tooling: Common JWT mistakes and the Semgrep tool

JSON Web Token (JWT) security has been a recurring theme in this newsletter. For example, see the JWT security videos in issue 72, or check out the JWT toolkit in issue 88. Not to abandon a good theme, this week we have a recent summary of the recurring issues with JWT.

Vasilii Ermilov from R2C has analyzed 2,000 node package manager (npm) modules for  different JWT security implementation flaws. The following is the list he compiled on the JWT mistakes that cropped up most often:

  • Hardcoded secrets
  • Allowing the none algorithm for signing
  • Incorrectly verified tokens (or no verification at all)
  • Sensitive data exposure

Ermilov provides code examples for each of these mistakes, as well as rules to catch these issues with his company’s tool, Semgrep.

Cheat sheet: Preventing regex DoS

Regular expressions (regex) are a common way to define string parameter patterns for API inputs. However, the regex language is extremely flexible, and can easily be abused to create expressions that require enormous amounts of memory and compute power to evaluate. Such attacks are known as Regular Expressions Denial of Service (ReDoS).

Image for post
Regular expressions are used all over the web stack, from client-side code to firewalls to back-end applications to database queries. If one of these regexes is (1) slow, and (2) processes dangerous input, then it is vulnerable to ReDoS. For example, Cloudflare’s firewall had a ReDoS issue in 2019, and Stack Overflow’s back-end had a ReDoS issue in 2016.

James Davis has put together a cheat-sheet for ReDos attacks and how to mitigate them. A good resource to check out!

Training: OAuth2 and OpenID Connect

OAuth2 and OpenID Connect (OIDC) continue to be misunderstood and misimplemented, which leads to API vulnerabilities.

Philippe De Ryck has made his course  “Introduction to OAuth 2.0 and OpenID Connect” available online for free (registration required).

The curriculum of the course includes:

  • OAuth2.0 and OIDC concepts
  • Using OAuth 2.0 with backend web clients
  • Introduction to OIDC
  • Mobile and native clients
  • Frontend web clients
  • Additional flows

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy

XML Feed

Newsletter Archive

Browse the full archive