This class summarizes attacks where the application is confused which OAuth authorization server it should invoke. KeeWeb did not protect against so-called “mix-up” attacks. Instead of the implicit grant, the authorization code grant in conjunction with the proof key for code exchange (PKCE) extension should be used.Ī second example of the identified weaknesses is another violation of the OAuth best current practices. Further details on its weaknesses can be found in the Drafts “OAuth 2.0 Security Best Current Practice” and “OAuth 2.0 for Browser-Based Applications”, as well as the RFC "OAuth 2.0 for Native Apps". Today, the avoidance of the implicit grant is strongly recommended in general. This significantly increases the attack surface of the access token. The implicit grant exposes the access tokens, which are used to access the user’s cloud storage, to the browser’s URL bar and its history. The highest-ranking weakness that we identified was KeeWeb’s usage of the OAuth implicit grant, which is a violation of the OAuth best current practices. Luckily, there are well-established OAuth best current practices - a collection of security measures that all applications using OAuth should follow. Flawlessly implementing authorization with OAuth is challenging and can be error-prone from a security perspective. However, the OAuth framework consists of several rather complex standards and provides various configurations. OAuth 2.0 is the de-facto standard for delegated authorization and supported by almost any cloud storage and API provider, including Google, Microsoft, Dropbox, and Amazon Web Services. In the following, we will describe the OAuth weaknesses in detail. The identified weaknesses were mostly based on the incorrect use of the OAuth authorization framework and insufficient protection against Cross-Site Scripting (XSS). During the test, we identified a total of 6 weaknesses – three classified as High and three classified as Medium. We conducted the 10 man-days penetration test between the 16th March and 3rd April 2020. Second, it is a web application written in JavaScript and accesses cloud storage providers using OAuth. First, its security is crucial, given the fact it processes the user’s password databases. We selected KeeWeb because it was an excellent fit for our pro bono program. It allows users to open and sync their password databases stored locally or in a cloud storage. KeeWeb is both available as a web application and cross-platform native application. The pro bono program offers applicants the chance to be selected for a free high-quality penetration test with a total expense of 10 man-days.Īs the first candidate, we selected KeeWeb, which is a KeePass compatible password manager. For this reason, we created our pro bono program last September. Https://my_domain/owncloud/remote.php/webdav/alemele/pasrole.By supporting non-commercial organizations and open-source applications, we want to increase their security. It seems that “owncloud” after domain name is missing in request, it should be: T15:49:47.857Z Storage load error Object keeweb:13:25065Īnd that’s the url shown by the web browser: T15:49:37.605Z Loaded app config from config?file=/alemele/pasrole.kdbx 2059mskeeweb:13:24743Įrror in parsing value for ‘height’. Push the branch and open a pull request.Fork the repository on Github and clone your fork.Add child-src to CSP (frame-src is deprecated).Improve URL detection for script injection into the files app.Fix cleaning open parameter from history.Workaround XML tags being picked up as PHP short tags.Use explicit URL and autogenerated version in cache manifest.Use EventDispatcher to hook into files app. Use current server host in pretty filename.Fix path generation for remote file path when installed to subdirectory.Load standard mimetypes before registering our own.Drop Nextcloud 10, and Owncloud/Nextcloud 9 support.Pay attention to readme for a guide on how to make this work properly!. Open an issue on Github (preferred) or just comment here. This integrates it into Nextcloud, simply clicking on *.kdbx file opens it.įollow instructions at GitHub - jhass/nextcloud-keeweb: Integrate Keeweb into Nextcloud Issues? Keeweb is a web application for working with databases of the Keepass password manager.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |