Let
- A be a web application available at URL L, running in host H, with IP-aadress I and server certificate C that uses WebAuthn for authenticating users,
- U be a user, who wants to login to A,
- T be a powerful attacker, who controls responses to user U DNS requests, has a valid certificate that is trusted by user U's browser for host H and has set up a fake replica AF of the web application at IP-address IF with server certificate CF, who wants to launch a man-in-the-middle attack to access A with the rights of user U.
Then origin validation is not a sufficient countermeasure against the man-in-the-middle attack.
This can be proven with the following attack scenario:
- User U opens URL L with hostname H in the browser to access web application A.
- User U's browser sends a DNS request to resolve the IP-address of H.
- Attacker T controls responses to user's DNS requests and resolves hostname H to the IP-address of the fake server IF.
- User U's browser sends a HTTPS request to IP-aadress IF and performs the TLS handshake.
- The fake server at IP-aadress IF returns a valid, trusted certificate CF for hostname H during the handshake.
- User U's browser displays the fake web application AF content from IP-aadress IF that impersonates the legitimate web application A.
- User U initiates login, the browser sends the login request to the fake web application AF controlled by attacker T.
- Attacker T forwards the login request to the legitimate web application A. A returns a response that contains the challenge. Attacker T returns the response with the challenge to the user's browser.
- User U's browser and user U perform the WebAuthn authentication procedure to obtain the WebAuthn response with
clientDataJSON
andattestationObject
. Note that theorigin
field will contain the legitimate hostname H inclientDataJSON
. - User's browser returns the WebAuthn response to the fake web application AF.
- Attacker T forwards the WebAuthn response to the legitimate web application A.
- Web application A verifies the WebAuthn response. As the challenge is correct and the
origin
field contains the legitimate hostname H, web application A considers the response valid and returns authenticated session token (session cookie, JWT etc) for user U. - Thus attacker T has successfully gained access to web application A with the rights of user U. ■
Use of Token Binding would protect the authentication flow against the man-in-the-middle attack. However, Token Binding is not widely supported by browsers, Chrome is deprecating it and proxy usage is problematic; the server application can see if token binding is missing but it is not obvious if that is malicious or a proxy has stripped it off. That's the reason why Token Binding is optional in WebAuthn and therefore Token Binding does not mitigate this attack.