Consider URL homograph attack when linking Group SAML
Problem
Linking Group SAML enables an external service to sign users in. To reduce the risk a user is tricked into linking accounts we will present the URL of the external service as well as the group path/name.
An attacker could trick a user by using homoglyphs to show a URL that only looks safe.
Ideas
- We could encode the URL we present to users in the warning dialog using IDNA mapped punycode. For example
https://𝕘itⅼαƄ.ᴄοm/adfs/lswould becomehttps://xn--gitl-ocb944a.xn--m-rmb025q/adfs/ls. - Only allow ascii domains to start with
| Unsanitzed | IDNA mapped punycode |
|---|---|
 |
 |
Related
Reading
- http://unicode.org/faq/idn.html#20
- http://www.unicode.org/reports/tr46/#Compatibility_Processing
- http://www.unicode.org/reports/tr39/#Restriction_Level_Detection
- https://unicode.org/Public/idna/latest/IdnaMappingTable.txt
- https://www.plesk.com/blog/product-technology/what-is-the-problem-with-s/
Tools
- https://cryptii.com/pipes/unicode-lookup
- https://www.punycoder.com/
- https://github.com/codebox/homoglyph/blob/master/raw_data/chars.txt
Libraries
- https://savannah.gnu.org/projects/libidn/
- https://gitlab.com/libidn/libidn2/
- https://github.com/deepfryed/idn-ruby
Background
I continued a discussion from https://gitlab.com/gitlab-org/gitlab-ee/issues/8260#note_121825769 on slack to avoid suggesting a possible attack publicly
Does that mean we don't have to worry about this kind of attack?
I think we're fine if the certificate is invalid, but not if the user is tricked into visiting the wrong group/url.
Another thing to consider is homoglyph attacks where the URL looks the same but is actually a different domain. Definitely will need security review
@cperessini replied:
but not if the user is tricked into visiting the wrong group
We’re currently showing the group name and ID, which should help users confirm they’re on the right login page, right? Do we show the full path to the group in the case of subgroups?
Homoglyphs are a tough one, do you know of any strategies to combat them?
@jamedjo replied:
We’re currently showing the group name and ID, which should help users confirm they’re on the right login page, right?
The name doesn't help as it can be set to another group's name, but the path/ID does help. Including URL is better in case they've set up a group to trick people with, using a path similar to the company name or a service like
in the case of subgroups?
We don't allow this for subgroups
do you know of any strategies to combat them?
The browser itself turns non-asci characters into odd looking things that look like
--jq79--instead of printing themdon't have to worry
That I hadn't even thought of homoglyphs until now -> always have to worry with security
😂