Skip to content

Latest commit

 

History

History
122 lines (94 loc) · 6.08 KB

attack-tree.md

File metadata and controls

122 lines (94 loc) · 6.08 KB

Attack Tree Analysis for ory/hydra

Objective: To gain unauthorized access to protected resources or user accounts within the application leveraging ORY Hydra.

Attack Tree Visualization

                                     Gain Unauthorized Access (Root)
                                                  |
          -------------------------------------------------------------------------
          |									|
  1. Compromise Hydra Admin API [CN]					3. Leverage Configuration/Deployment Weaknesses
          |									|
  -------------------------								  ------------------------------------------
  |					|									|					|
1.1 Weak Admin API    1.2  Expose								3.3 Misconfigured
    Credentials [HR]   Admin API [HR]									   Redirect URIs
															  |
															  -------------------
															  |					|
														3.3.1  Wildcard	   3.3.2  Open Redirect
															      Redirect URI [HR][CN]   Vulnerability
          |
          -------------------------
          |
  2. Exploit OAuth 2.0/OIDC Flows in Hydra
          |
  ------------------------------------------
  |
2.1  Token
    Substitution
          |
  -------------------
  |
2.1.1 Steal
      Existing
      Tokens [HR]

Attack Tree Path: 1. Compromise Hydra Admin API [CN]

  • Description: The Hydra Admin API provides complete control over the Hydra instance. Compromising it grants the attacker full control over the authorization server, allowing them to create clients, modify consents, issue tokens, and revoke access. This is a critical node because it's a single point of failure for the entire authorization system.

Attack Tree Path: 1.1 Weak Admin API Credentials [HR]

  • Description: The attacker gains access to the Admin API by using default, easily guessable, or weak passwords.
  • Likelihood: Medium (High if defaults are used or weak password policies are in place; Low if strong passwords and MFA are used).
  • Impact: High (Complete control over Hydra).
  • Effort: Low (Automated brute-force tools are readily available).
  • Skill Level: Low (Basic scripting knowledge).
  • Detection Difficulty: Medium (Failed login attempts can be logged, but sophisticated attackers might use slow, distributed attacks).
  • Mitigation:
    • Enforce strong, unique passwords.
    • Implement rate limiting and account lockout.
    • Use API keys or mTLS.

Attack Tree Path: 1.2 Expose Admin API [HR]

  • Description: The Admin API is unintentionally exposed to the public internet or untrusted networks, making it accessible to attackers.
  • Likelihood: Low-Medium (Depends on network configuration).
  • Impact: High (Complete control over Hydra).
  • Effort: Low (If exposed, access is trivial).
  • Skill Level: Low (Basic network scanning).
  • Detection Difficulty: Medium-High (Requires network monitoring).
  • Mitigation:
    • Network segmentation (restrict access to trusted networks).
    • Regular security audits of network configurations.

Attack Tree Path: 2. Exploit OAuth 2.0/OIDC Flows in Hydra

Attack Tree Path: 2.1 Token Substitution

Attack Tree Path: 2.1.1 Steal Existing Tokens [HR]

  • Description: The attacker obtains valid access or refresh tokens through various means, such as exploiting XSS vulnerabilities in the client application, compromising databases where tokens are stored, or intercepting network traffic.
  • Likelihood: Medium (Depends on other vulnerabilities).
  • Impact: High (Access to user accounts/resources).
  • Effort: Medium (Requires exploiting other vulnerabilities).
  • Skill Level: Medium-High (Depends on the attack vector).
  • Detection Difficulty: Medium-High (Requires monitoring for unusual token usage).
  • Mitigation:
    • Secure token storage (HTTP-only, secure cookies, encrypted storage).
    • Short-lived access tokens.
    • Token revocation mechanisms.
    • XSS prevention in client applications.

Attack Tree Path: 3. Leverage Configuration/Deployment Weaknesses

Attack Tree Path: 3.3 Misconfigured Redirect URIs

Attack Tree Path: 3.3.1 Wildcard Redirect URI [HR][CN]

  • Description: The allowed redirect URIs for an OAuth 2.0 client are configured with wildcard characters (e.g., *), allowing an attacker to specify any redirect URI. This enables them to redirect the user to a malicious site and steal the authorization code or token. This is a critical node due to its severe impact and ease of exploitation.
  • Likelihood: Low (This is a very bad practice).
  • Impact: High (Allows token theft).
  • Effort: Low (Trivial to exploit).
  • Skill Level: Low (Basic OAuth 2.0 understanding).
  • Detection Difficulty: Low (Easily detectable in configuration audits).
  • Mitigation:
    • Never use wildcard characters in redirect URIs.
    • Specify the exact, full redirect URI.

Attack Tree Path: 3.3.2 Open Redirect Vulnerability

  • Description: Even with a whitelist of redirect URIs, flaws in the validation logic might allow an attacker to bypass the checks and redirect the user to a malicious site.
  • Likelihood: Low-Medium (Depends on validation robustness).
  • Impact: High (Allows token theft).
  • Effort: Medium (Requires finding flaws in validation).
  • Skill Level: Medium (Web application security knowledge).
  • Detection Difficulty: Medium (Requires thorough testing).
  • Mitigation:
    • Strict URI comparison.
    • Use a dedicated URI parsing library.