Understanding the Session Fixation Attack on UMA Claims-Gathering and the Provided Mitigation
...
On January 27, 2016, an issue was reported that identified a vulnerability in the UMA protocol. The UMA Work Group immediately set about analyzing the attack, possible mitigations under consideration, and similar cases; choosing an optimal mitigation; and developing specification text defining that mitigation. This companion non-normative document provides additional background information.
...
- The
state
parameter provides no support to distinguish the attacker's transaction context and the victim's context. The victim's client simply fails when attempting to continue seeking access because the session was initiated by the attacker. The transaction context of record is the attacker's. - The
ticket
parameter provides no support to distinguish the two contexts because UMA V1.0 and V1.0.1 (and possible future minor versions) require its value to be the same across the entire process of claims-gathering when a requesting party is seeking access to a particular resource. It could be said that the root problem of the session fixation is in the "fixed" nature of permission tickets in the cycle of 1) requesting party claims endpoint usage with aticket
parameter and 2) the response from the AS with the sameticket
parameter repeated.
Discussion of the Provided Mitigation and Others Considered
The UMA Work Group has provided a mitigation of this attack in the form of a draft extension specification.
...