Skip to content

Latest commit

 

History

History
173 lines (136 loc) · 11.1 KB

mitigations.md

File metadata and controls

173 lines (136 loc) · 11.1 KB

Mitigation Strategies Analysis for duendesoftware/products

Mitigation Strategy: Strict Client Configuration and Least Privilege (Duende IdentityServer)

  • Description (Step-by-Step):

    1. Define Scopes (IdentityServer): Within the IdentityServer configuration (typically in Config.cs or similar), create specific, granular scopes that represent the smallest unit of access needed by clients. Avoid broad scopes. Example: orders.read, orders.create, instead of just orders.
    2. Client Registration (IdentityServer): When registering clients in IdentityServer (again, usually in Config.cs or through the admin UI):
      • AllowedScopes: Assign only the precisely defined, granular scopes to each client.
      • RedirectUris: Specify the exact, full redirect URIs (including protocol and port) that the client is allowed to use. No wildcards or patterns unless absolutely necessary and with extreme caution.
      • PostLogoutRedirectUris: Specify the exact, full post-logout redirect URIs.
      • ClientSecrets: Generate and securely store strong client secrets (using a secret management solution, not in the IdentityServer configuration files).
      • ClientAuthenticationMethod: Choose an appropriate method (e.g., client_secret_post, private_key_jwt) based on the client type.
    3. Regular Review (IdentityServer Admin UI/Config): Regularly (e.g., every 3-6 months) review all client configurations within IdentityServer. Ensure scopes, redirect URIs, and other settings are still appropriate. Remove unused clients.

  • Threats Mitigated:

    • Unauthorized Access (High Severity): Prevents clients from accessing resources they shouldn't.
    • Open Redirect (Medium Severity): Strict RedirectUris prevent misuse of the authorization endpoint.
    • Token Leakage (High Severity): Limited scopes reduce the impact of a leaked token.
    • Privilege Escalation (High Severity): Clients are restricted to their defined permissions.

  • Impact:

    • Unauthorized Access: Risk significantly reduced.
    • Open Redirect: Risk virtually eliminated.
    • Token Leakage: Impact minimized.
    • Privilege Escalation: Risk significantly reduced.

  • Currently Implemented:

    • Basic client registration is implemented in Startup.cs (using AddInMemoryClients). Scopes are defined, but need review for granularity. Redirect URIs are specified, but need checking for exact matching.

  • Missing Implementation:

    • Formalized regular review process.
    • Scope granularity needs improvement.

Mitigation Strategy: Secure Token Handling and Management (Duende IdentityServer)

  • Description (Step-by-Step):

    1. AccessTokenLifetime (IdentityServer Client Config): Set short lifetimes for access tokens (e.g., 5-15 minutes) in the client configuration within IdentityServer.
    2. Refresh Token Rotation (IdentityServer Client Config):
      • Set RefreshTokenUsage to ReUse or OneTimeOnly. OneTimeOnly is generally recommended for better security.
      • Set RefreshTokenExpiration to Sliding or Absolute.
    3. HTTPS Enforcement (IdentityServer Configuration & Deployment):
      • Configure IdentityServer to require HTTPS. This is typically done in Startup.cs and through deployment settings (e.g., IIS, Kestrel configuration).
    4. Token Binding (DPoP - IdentityServer and Client): If supported by both the client and your IdentityServer configuration, implement Demonstrating Proof-of-Possession (DPoP). This requires configuration on both the IdentityServer and client sides.

  • Threats Mitigated:

    • Token Replay (High Severity): Short lifetimes and rotation limit replay windows.
    • Token Interception (High Severity): HTTPS prevents interception.
    • Session Hijacking (High Severity): Refresh token rotation mitigates impact.

  • Impact:

    • Token Replay: Risk significantly reduced.
    • Token Interception: Risk virtually eliminated.
    • Session Hijacking: Risk reduced.

  • Currently Implemented:

    • HTTPS is enforced in the production environment.
    • AccessTokenLifetime is set, but may be too long (currently 1 hour).

  • Missing Implementation:

    • Refresh token rotation (RefreshTokenUsage, RefreshTokenExpiration) is not enabled.
    • DPoP is not implemented.

Mitigation Strategy: Correct OpenID Connect / OAuth 2.0 Flow Configuration (Duende IdentityServer)

  • Description (Step-by-Step):

    1. AllowedGrantTypes (IdentityServer Client Config):
      • For confidential clients, set AllowedGrantTypes to GrantTypes.Code.
      • For public clients, set AllowedGrantTypes to GrantTypes.Code. Do not use GrantTypes.Implicit.
    2. PKCE (IdentityServer & Client):
      • Ensure RequirePkce is set to true in the client configuration within IdentityServer. This enforces PKCE.
      • The client application must implement the PKCE flow correctly (generating code_verifier and code_challenge).
    3. RequireConsent (IdentityServer Client Config): Consider whether to require user consent (RequireConsent = true). This is a UX decision, but also has security implications (users are explicitly informed about permissions).
    4. Avoid Custom Grant Types: Do not create custom grant types unless absolutely necessary and with a thorough understanding of security.

  • Threats Mitigated:

    • Authorization Code Interception (High Severity): PKCE prevents this.
    • Protocol Confusion (High Severity): Using the correct flow prevents vulnerabilities.

  • Impact:

    • Authorization Code Interception: Risk virtually eliminated with PKCE.
    • Protocol Confusion: Risk significantly reduced.

  • Currently Implemented:

    • AllowedGrantTypes is set to GrantTypes.Code for most clients.

  • Missing Implementation:

    • RequirePkce is not consistently set to true for all clients.
    • One client is incorrectly using the implicit flow (needs migration).

Mitigation Strategy: Robust User Management Configuration (Duende IdentityServer)

  • Description (Step-by-Step):

    1. Password Policies (IdentityServer Configuration): Configure IdentityServer's password policies (usually within the AddIdentity configuration in Startup.cs):
      • RequireDigit, RequireLowercase, RequireUppercase, RequireNonAlphanumeric, RequiredLength.
      • Consider using password history and expiration (if using IdentityServer's user management).
    2. Multi-Factor Authentication (MFA) (IdentityServer Configuration):
      • Enable MFA support in IdentityServer.
      • Configure supported MFA methods (e.g., TOTP).
      • Enforce MFA through policies (e.g., requiring MFA for certain clients or users).
    3. Account Lockout (IdentityServer Configuration): Configure account lockout settings (usually within the AddIdentity configuration):
      • MaxFailedAccessAttempts, DefaultLockoutTimeSpan.

  • Threats Mitigated:

    • Brute-Force Attacks (High Severity): Account lockout prevents this.
    • Credential Stuffing (High Severity): Strong passwords and MFA mitigate this.
    • Account Takeover (High Severity): MFA significantly reduces risk.

  • Impact:

    • Brute-Force Attacks: Risk significantly reduced.
    • Credential Stuffing: Risk reduced.
    • Account Takeover: Risk significantly reduced.

  • Currently Implemented:

    • Basic password policies are in place (minimum length).
    • Account lockout is configured.

  • Missing Implementation:

    • MFA is not enabled.
    • Full password complexity requirements are not enforced.

Mitigation Strategy: Secure Session Management (Duende.BFF)

  • Description (Step-by-Step):

    1. Cookie Configuration (Duende.BFF):
      • Ensure that the BFF's session cookie configuration sets Secure to true.
      • Ensure HttpOnly is set to true.
      • Explicitly set the SameSite attribute to Strict or Lax (in the BFF configuration).
    2. Session Timeout (Duende.BFF): Configure appropriate session timeouts in the BFF configuration.
    3. Sliding Sessions (Duende.BFF - if used): If using sliding sessions, ensure a maximum session lifetime is enforced in the BFF configuration.
    4. Logout (Duende.BFF and IdentityServer): Ensure that the BFF's logout endpoint properly clears the BFF session and redirects the user to IdentityServer's logout endpoint (/connect/endsession) to terminate the global session.

  • Threats Mitigated:

    • Session Hijacking (High Severity): Secure cookies prevent this.
    • Cross-Site Request Forgery (CSRF) (Medium Severity): SameSite attribute mitigates CSRF.
    • Session Fixation (High Severity): Proper session management prevents this.

  • Impact:

    • Session Hijacking: Risk significantly reduced.
    • CSRF: Risk significantly reduced.
    • Session Fixation: Risk significantly reduced.

  • Currently Implemented:

    • Duende.BFF is used.
    • Secure and HttpOnly are set.

  • Missing Implementation:

    • SameSite is not explicitly configured.
    • Session timeout needs review.
    • Logout needs thorough testing (including IdentityServer interaction).

Mitigation Strategy: Comprehensive Logging (Duende IdentityServer)

  • Description (Step-by-Step):

    1. Enable Detailed Logging (IdentityServer Configuration): Configure IdentityServer to log detailed information about security-relevant events. This is typically done by configuring the logging level for the IdentityServer4 or Duende.IdentityServer namespaces (e.g., in appsettings.json or through code). Log:
      • Successful and failed login attempts.
      • Token issuance and validation.
      • Errors and exceptions.
      • Administrative actions.
    2. Audit Trails (Duende IdentityServer): Ensure that Duende IdentityServer is configured to log all administrative actions with sufficient detail.

  • Threats Mitigated:

    • All Threats (Indirectly): Logging is crucial for detection and response.

  • Impact:

    • All Threats: Improves detection and response capabilities.

  • Currently Implemented:

    • Basic logging is enabled.

  • Missing Implementation:

    • Detailed logging of all security-relevant events needs to be verified and potentially enhanced.
    • Audit trail configuration needs review.