Skip to content

Latest commit

 

History

History
130 lines (109 loc) · 10.1 KB

threat-modeling.md

File metadata and controls

130 lines (109 loc) · 10.1 KB

Threat Model Analysis for ory/hydra

Threat: Weak System Secret

  • Threat: Weak System Secret
    • Description: An attacker gains access to the system secret (used for encrypting data at rest, like refresh tokens) either through weak generation, exposure in logs, configuration files, or environment variables. The attacker can then decrypt sensitive data stored by Hydra.
    • Impact: Complete compromise of all data encrypted by Hydra, including refresh tokens, enabling long-term unauthorized access.
    • Affected Component: Hydra's core data storage and encryption mechanisms (primarily related to the database and configuration).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Use a cryptographically secure random number generator to create the system secret.
      • Store the secret in a dedicated secrets management solution (e.g., HashiCorp Vault, AWS Secrets Manager).
      • Never commit the secret to source control.
      • Avoid logging the secret.
      • Regularly rotate the system secret.

Threat: Exposed Admin API

  • Threat: Exposed Admin API
    • Description: An attacker gains unauthorized access to Hydra's administrative API due to lack of authentication or weak authorization. The attacker can then create malicious clients, modify policies, revoke tokens, and generally control the Hydra instance.
    • Impact: Complete control over the Hydra instance, allowing for arbitrary client creation, policy manipulation, and denial of service.
    • Affected Component: Hydra's /clients, /policies, /keys, and other administrative endpoints.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Require strong authentication for all access to the admin API (e.g., mutual TLS, strong API keys, OAuth 2.0 with specific admin scopes).
      • Implement strict authorization checks to limit access based on roles and permissions.
      • Use network segmentation to restrict access to the admin API to trusted networks/IPs.
      • Monitor admin API access logs for suspicious activity.

Threat: Insecure Transport (HTTP)

  • Threat: Insecure Transport (HTTP)
    • Description: An attacker intercepts communication between clients, resource servers, and Hydra because it's occurring over unencrypted HTTP. The attacker can capture authorization codes, tokens, and potentially user credentials.
    • Impact: Man-in-the-middle attacks, leading to token theft, session hijacking, and credential compromise.
    • Affected Component: All Hydra endpoints involved in communication (e.g., /oauth2/auth, /oauth2/token, /oauth2/introspect, /userinfo).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Enforce HTTPS for all communication with Hydra.
      • Use strong TLS configurations (TLS 1.3, strong ciphers).
      • Obtain and properly configure valid TLS certificates.
      • Implement HSTS (HTTP Strict Transport Security).

Threat: Permissive CORS Configuration

  • Threat: Permissive CORS Configuration
    • Description: An attacker exploits a misconfigured CORS policy (e.g., allowing * origin) to make cross-origin requests to Hydra from a malicious website. This can lead to CSRF-like attacks against authenticated users.
    • Impact: Unauthorized actions performed on behalf of users, potentially leading to data modification or unauthorized access.
    • Affected Component: Hydra's HTTP server and CORS middleware.
    • Risk Severity: High
    • Mitigation Strategies:
      • Configure CORS to allow only specific, trusted origins.
      • Avoid using wildcard origins (*).
      • Regularly review and update the CORS configuration.

Threat: Unpatched Hydra Version

  • Threat: Unpatched Hydra Version
    • Description: An attacker exploits a known vulnerability in an outdated version of Hydra. The specific attack depends on the vulnerability, but could range from denial of service to remote code execution.
    • Impact: Varies depending on the vulnerability, but can range from denial of service to complete system compromise.
    • Affected Component: Potentially any part of Hydra, depending on the vulnerability.
    • Risk Severity: High (potentially Critical, depending on the vulnerability)
    • Mitigation Strategies:
      • Regularly update Hydra to the latest stable version.
      • Monitor Hydra's security advisories and mailing lists.
      • Implement a process for rapid deployment of security patches.

Threat: Client Secret Compromise (Impacting Hydra's Authentication)

  • Threat: Client Secret Compromise (Impacting Hydra's Authentication)
    • Description: An attacker obtains a client secret and uses it to directly authenticate with Hydra's /oauth2/token endpoint (using the client credentials grant), bypassing intended user authorization flows.
    • Impact: Unauthorized access to resources, impersonation of the compromised client, potential for privilege escalation if the client has broad permissions.
    • Affected Component: Hydra's /oauth2/token endpoint (specifically when handling the client_credentials grant type).
    • Risk Severity: High
    • Mitigation Strategies:
      • Protect client secrets with extreme care.
      • Use short-lived client secrets and rotate them frequently.
      • Consider using client authentication methods that don't rely on shared secrets (JWT assertion-based client authentication or mutual TLS).
      • Monitor Hydra's logs for unusual client credential grant requests.

Threat: Authorization Code Injection (Impacting Hydra's Token Endpoint)

  • Threat: Authorization Code Injection (Impacting Hydra's Token Endpoint)
    • Description: An attacker injects a forged or stolen authorization code into a request to Hydra's /oauth2/token endpoint. While the client should prevent this, a vulnerability in Hydra could allow the attacker to bypass client-side checks.
    • Impact: Unauthorized access to resources, token theft.
    • Affected Component: Hydra's /oauth2/token endpoint (when handling the authorization_code grant type).
    • Risk Severity: High
    • Mitigation Strategies:
      • Hydra must strictly validate the authorization code against its internal state, including checking for replay, expiry, and association with the correct client and redirect URI.
      • Hydra should implement robust checks to prevent code injection vulnerabilities.
      • Use of PKCE by clients is strongly recommended, as it makes this attack significantly harder.

Threat: Refresh Token Theft and Replay (Directly Abusing Hydra)

  • Threat: Refresh Token Theft and Replay (Directly Abusing Hydra)
    • Description: An attacker steals a refresh token and uses it repeatedly to obtain new access tokens from Hydra's /oauth2/token endpoint, maintaining unauthorized access.
    • Impact: Long-term unauthorized access to resources.
    • Affected Component: Hydra's /oauth2/token endpoint (when handling the refresh_token grant type).
    • Risk Severity: High
    • Mitigation Strategies:
      • Enforce refresh token rotation in Hydra's configuration. This is the primary defense. Each time a refresh token is used, Hydra should issue a new refresh token and invalidate the old one.
      • Limit the lifetime of refresh tokens.
      • Implement mechanisms within Hydra to detect and revoke compromised refresh tokens (e.g., based on unusual activity patterns, IP address changes, etc.).
      • Consider binding refresh tokens to specific clients and devices (though this is primarily a client-side concern).

Threat: Policy Bypass (Within Hydra)

  • Threat: Policy Bypass (Within Hydra)
    • Description: An attacker exploits a vulnerability in Hydra's policy engine or a misconfiguration in the policies themselves to gain access to resources they shouldn't have access to, directly bypassing Hydra's intended authorization checks.
    • Impact: Unauthorized access to resources.
    • Affected Component: Hydra's policy engine and the configured policies.
    • Risk Severity: High
    • Mitigation Strategies:
      • Carefully design and implement access control policies using the principle of least privilege.
      • Regularly review and audit policies to ensure they are correctly configured and enforced within Hydra.
      • Thoroughly test policies to identify any potential bypasses or vulnerabilities within Hydra's policy evaluation logic.
      • Use a well-defined policy language and avoid overly complex or ambiguous policies.

Threat: Denial of Service (DoS) against Hydra

  • Threat: Denial of Service (DoS) against Hydra
    • Description: An attacker floods Hydra's endpoints (e.g., /oauth2/auth, /oauth2/token, /oauth2/introspect) with a large number of requests, making the service unavailable to legitimate users.
    • Impact: Denial of service, preventing users from authenticating and accessing resources.
    • Affected Component: All of Hydra's publicly accessible endpoints.
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement robust rate limiting on all Hydra endpoints.
      • Use different rate limits for different endpoints and clients based on their expected usage.
      • Monitor Hydra's performance and adjust rate limits as needed.
      • Consider using a Web Application Firewall (WAF) or other DDoS mitigation techniques.