germanliner.blogg.se

1. Keeweb security update#
2. Keeweb security full#
3. Keeweb security pro#
4. Keeweb security code#
5. Keeweb security password#

Witkowski for participating in our pro bono program and for fixing the identified weaknesses in a fast and responsible manner. The latest version also implements both recommendations we included in the report.

Keeweb security update#

A second update (v1.14.2) was released on the 4th Mai fixing the last weakness. Later, we conducted a short retest of the identified weaknesses and informed the developer that all weaknesses except one were successfully fixed. Witkowski started to fix the weaknesses immediately and released a first update (v1.14) for KeeWeb on the 18th March. Witkowski who is the main contributor to the KeeWeb project on the 16th March. The weaknesses identified during the penetration test were responsibly disclosed to Mr.

Keeweb security full#

Pro Bono Penetration Test ReportĪll details of the identified weaknesses and recommendations can be found in the full report here: KeeWeb Penetration Test Report Responsible Disclosure Second, implementing a logout option to allow the user to explicitly revoke access to their cloud storage – an option that is especially important on public or shared computers. First, delivering the Content Security Policy to minimize the risk of content injection vulnerabilities. On top of the 6 identified weaknesses, we recommended two changes to increase the security of the application further. All applications which support multiple OAuth authorization servers are potentially vulnerable to mix-up attacks and need to protect against this attack class. This class summarizes attacks where the application is confused which OAuth authorization server it should invoke. KeeWeb did not protect against so-called “mix-up” attacks.

Keeweb security code#

Instead of the implicit grant, the authorization code grant in conjunction with the proof key for code exchange (PKCE) extension should be used.Ī second example of the identified weaknesses is another violation of the OAuth best current practices. Further details on its weaknesses can be found in the Drafts “OAuth 2.0 Security Best Current Practice” and “OAuth 2.0 for Browser-Based Applications”, as well as the RFC "OAuth 2.0 for Native Apps". Today, the avoidance of the implicit grant is strongly recommended in general. This significantly increases the attack surface of the access token. The implicit grant exposes the access tokens, which are used to access the user’s cloud storage, to the browser’s URL bar and its history. The highest-ranking weakness that we identified was KeeWeb’s usage of the OAuth implicit grant, which is a violation of the OAuth best current practices. Luckily, there are well-established OAuth best current practices - a collection of security measures that all applications using OAuth should follow. Flawlessly implementing authorization with OAuth is challenging and can be error-prone from a security perspective. However, the OAuth framework consists of several rather complex standards and provides various configurations.

OAuth 2.0 is the de-facto standard for delegated authorization and supported by almost any cloud storage and API provider, including Google, Microsoft, Dropbox, and Amazon Web Services. In the following, we will describe the OAuth weaknesses in detail. The identified weaknesses were mostly based on the incorrect use of the OAuth authorization framework and insufficient protection against Cross-Site Scripting (XSS). During the test, we identified a total of 6 weaknesses – three classified as High and three classified as Medium. We conducted the 10 man-days penetration test between the 16th March and 3rd April 2020.

Second, it is a web application written in JavaScript and accesses cloud storage providers using OAuth.

Keeweb security password#

First, its security is crucial, given the fact it processes the user’s password databases. We selected KeeWeb because it was an excellent fit for our pro bono program. It allows users to open and sync their password databases stored locally or in a cloud storage. KeeWeb is both available as a web application and cross-platform native application. The pro bono program offers applicants the chance to be selected for a free high-quality penetration test with a total expense of 10 man-days.Īs the first candidate, we selected KeeWeb, which is a KeePass compatible password manager. For this reason, we created our pro bono program last September. By supporting non-commercial organizations and open-source applications, we want to increase their security.