Comments (2)
The SQRL spec mitigates this attack by requiring the the SQRL client to reply only to the host from which the challenge originated. Origination is determined by the the QR code, and is HMAC'd to prevent tampering. Therefore, if your MITM website steals a valid QR code from Site A, when the client reads the QR code, it will see it is for Site A. The client won't respond to your website, it will respond directly to the legitimate website.
Now your attack is correct that it can keep checking the validity of the session, and in theory, perform a session hijack. However, the SQRL protocol specifically states (in the section I link) that for highly sensitive applications, you should require the SQRL authenticating agent to perform each sensitive action, which would bypass any session hijacking MITM attack you mentioned, because the client would only respond to authentic URL's which are provided via the HMAC'd challenge. Also, using standard secure programming practices, any serious account functionality should require re-authentication. So in this case the attack is certainly no worse than a typical man-in-the-middle attack against a password and username, in fact, it is far less serious, even in the worst case, because the attack is a single-session hijack.
In addition to the above, the section I linked to on the SQRL standard, also states that you should make the user validate the IP in the client before authenticating it, so an intelligent user should notice the request coming from an IP that you don't recognize. This attack could also be mostly mitigated by storing a never-expiring cookie on the client's machine that the server checks and validates the content of on authentication attempts (after initial registration).
I was a bit harsh in my initial message. The attack may not be fully mitigated, but it is hardly new, nor does it "break" SQRL. SQRL is still far more robust, and far better at defending a user's authentication data than the old password/username paradigm.
from qrljacking.
Hi @shellster, Sorry for my delayed reply, Yes for sure the attack is not that very new and there's some sources just walked around it but we went in a detailed way!
Also How you see in a summarized way that SQRL mitigates such attack?
from qrljacking.
Related Issues (20)
- 5340106557
- SOLUTION NEEDED CAN ANY ON HELP? HOT 1
- I cant run qrl in wsl1 and My laptop doest support wsl2 and snap is not working.
- Unable to open Sessions HOT 1
- Current code is no longer compatible with new Selenium releases HOT 7
- Unable to open sessions
- Couldn't open Firefox! Check the installation instructions again! HOT 4
- COULDN'T OPEN THE FIREFOX CHECK THE INSTALLATION INSTRUCTIONS AGAIN! HOT 1
- No starting session after log out HOT 1
- session not captured issue
- For discord? HOT 1
- I solved this problem....Soon i will share you the solution....
- Sessions not being captured in QRLJacking HOT 3
- If user has no profile picture the change_identifier is different and wouldn't work [Made temp fix] HOT 2
- Any way to make it work on Termux with ARM device HOT 10
- Termux HOT 3
- Sessions not captured HOT 2
- Is this project dead ? HOT 4
- Please any developer can help me no one is answering? HOT 3
- Showing errror when run is entered HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from qrljacking.