From e423f10513aefe49fa7697f443e0f01ecba11324 Mon Sep 17 00:00:00 2001 From: Sergei Maertens <sergei@maykinmedia.nl> Date: Mon, 4 Dec 2023 18:06:07 +0100 Subject: [PATCH] :loud_sound: Replace fatal error with logging There appear to be ~1 incident/day caused by this IP address check, and from the looks of it they all seems like genuine, non-malicious usage. In office spaces where VPNs and network changes (which result in different IP addresses) are common, this check leads to false positives and we've assessed the likelihood of actual attacks to be low. * Session cookies are typically flagged as HttpOnly, so XSS to steal credentials/cookies is not a viable exploit path * If an attacker can intercept the session cookie via MITM over plain HTTP, the DigiD conditions are not met and you really, really should not run anything over plain HTTP. * If an attacker can MITM an HTTPS connection, you have far bigger issues, since then interecepting/modifying the actual HTTP traffic is much more interesting than hijacking a DigiD session. * Initial HTTP connections (first-ever) are possible, even when using HSTS (which you should deploy), but can be mitigated by making sure your URLs are added to the preload lists vendored in browsers. --- digid_eherkenning/saml2/base.py | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/digid_eherkenning/saml2/base.py b/digid_eherkenning/saml2/base.py index 806bba2..8e79ae5 100644 --- a/digid_eherkenning/saml2/base.py +++ b/digid_eherkenning/saml2/base.py @@ -170,11 +170,24 @@ def verify_saml2_response(self, response, client_ip_address): # authn_ip_address = authn_request["client_ip_address"] if authn_ip_address != client_ip_address: - raise OneLogin_Saml2_ValidationError( - f"A different IP address ({authn_ip_address})" - f"was used when retrieving the AuthNRequest then for retrieving" - f" the request to the ACS ({client_ip_address}).", - OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO, + # Relaxed validation - IP address changes between mobile towers are not + # necessarily a common occurrence (typically the mobile provider manages + # your mobile IP address), but what does happen is switching between wifi/VPN + # or mobile network in the user's office (or even on the go, with a Dual SIM + # set up for example). So instead of complicating the error messages for + # these edge cases and given the very low likelyhook an attacker is able to + # steal the session cookie/data, we opt for detection and logging instead. + logger.warning( + "A different IP address (%s) was used when retrieving the AuthNRequest " + "than for resolving the SAML artifact in the ACS (%s).", + authn_ip_address, + client_ip_address, + # record meta information for potential audit trails + extra={ + "authn_ip_address": authn_ip_address, + "client_ip_address": client_ip_address, + "security": True, + }, ) # I remember reading somewhere that the assurance level on the response