Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/please-openit/token-leak-extension

Chrome extension to analyse oauth2 authentication process
https://github.com/please-openit/token-leak-extension

Last synced: about 1 month ago
JSON representation

Chrome extension to analyse oauth2 authentication process

Host: GitHub
URL: https://github.com/please-openit/token-leak-extension
Owner: please-openit
License: gpl-3.0
Created: 2020-02-16T11:06:47.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2020-02-28T14:00:22.000Z (almost 5 years ago)
Last Synced: 2024-08-01T13:28:47.643Z (4 months ago)
Language: JavaScript
Homepage: https://please-open.it
Size: 130 KB
Stars: 17
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-ccamel - please-openit/token-leak-extension - Chrome extension to analyse oauth2 authentication process (JavaScript)

README

# Please-open.it token leak extension

**TL;DR** This is a chrome extension that checks oauth2/openid connect authentication process on any website. Just install it, log in and check for alerts and recommendations.

## How to test

Our authentication app [https://auth.please-open.it](https://auth.please-open.it) we use for portals and doors.

[https://www.oauth.com/playground/](https://www.oauth.com/playground/) a great tool with all flows implemented, step by step and great details.

# Company

[Please-open.it](https://please-open.it) is a french company, specialized in authentication.
We deal with oauth2 especially with [keycloak](https://www.keycloak.org).

We have an offer based on "Keycloak as a service", get your own realm on our infrastructure.

We also built an authorization platform. It works with all common oauth2 providers (Google, Facebook, Twitter, Microsoft, ...) and adds :
- user filtering based on email, Google Suite organization, groups membership on Facebook or any filtering on a user property
- Timebased authorizations
- Calendar restrictions

Works perfectly for doors, gates or any access control device with standard an industrial hardware.

## Intro

Several monthes ago, we discover data leak on pole emploi's website [2 failles de sécurité chez pole emploi - French](https://www.mathieupassenaud.fr/faille-pole-emploi/).
It shows severals and global problems :
- lack of knowledge about authentication, oauth2 or openid connect standards (use of implicit flow)
- Webanalytics integrated without any control : [Web analytics are the worst auth enemy](https://www.mathieupassenaud.fr/webanalytics_enemy/)

For internal use, we have a small tool for authentication process analysis. This tool was based on [apache JMeter](http://jmeter.apache.org/) with proxy recording.

We rebuilt this tool directly in Chrome using an extension. This extension checks only requests from a web page and checks for known patterns we already had. Then, a small output in an HTML popup shows potential problems.

In order to make your authentication more secure, this tool is now free and opensourced.

## Status of the project

It is a big draft for now, a stack of rules hardcoded in Javascript. It displays information about suspicious requests, or misuse of tokens.

Contributions are welcome.

## Installation

Today, the extension is not published on the Chrome Webstore. Google does manual review of it due to requested permissions.

Clone or download this repo.

Go to [chrome://extensions](chrome://extensions) and turn on "developer mode".
Click on "Load Unpacked"
Select the location where you cloned this repo.

[https://webkul.com/blog/how-to-install-the-unpacked-extension-in-chrome/](https://webkul.com/blog/how-to-install-the-unpacked-extension-in-chrome/)

The extension is now installed, you see a yellow lock near the address bar.

## How to use

Go to the authentication page of your website. The extensions is always listening.

![capture](https://github.com/please-openit/token-leak-extension/blob/master/images/capture.png)

It shows directly authentication steps with a message, a level an details.
- Green it is an info of a great use
- Gray means manual verification is required, for example a check on the http headers.
- Yellow a misuse
- Red a bad usage
- Red with a big border : a fix is required ASAP.

A "details" link reveals the context : initiator, HTTP Method and called URL.

"More ..." link gives you some recommendations from this repo.

Do not forget to clean all results between two tests.

Remember, it is a draft. Some cases are not well covered. IE, when an authorization_code is exchanged for an access_token using a backend (not with a direct call to authentication server), which is the best way to do, this exchange is sometimes not detected.
All informations from this app needs manual verifications.

## Recommendations

All recommendations are based on [Internet Engineering Task Force](https://ietf.org) and [oauth2](https://oauth.net/2/) standards. There are not obligations, and many ways to interpret.

Recommendations we write for this public tool are general, check for your frameworks, languages and usages to know how to implement the best standard for high security.

## Contribution

All contributions are welcome. Check wiki pages for recommendations.

background.js file is the analysis tool. A stack of "if" statements with string comparisons.
Local storage is needed to keep an environement between requests.

chrome.storage.local is the way we found to communicate results to popup html file.