Nowadays, web applications often rely on cryptographically protected tokens to facilitate single sign-on or maintain sessions across distributed servers. Such tokens contain expiration dates and the identity of the current user, and are stored in the user’s browser. It is essential that these users are not able to change the contents of these tokens, as that could allow, for instance, impersonation of other user, elevation of privileges or authentication bypasses. A crypto bug in a token implementation can lead to multiple forms of authentication vulnerabilities.

During my analysis of several token implementations, I found that the way that the application server IBM WebSphere Liberty had implementation flaws in its implementation of the Lightweight Third Party Authentication (LTPA) protocol, a cryptographic token scheme used by multiple IBM products. By combining this implementation bug with cryptographic weaknesses in the protocol itself, an attacker could to change their token into one belonging to any other user. While this attack involves a tricky adaptive chosen-ciphertext attack, it can be easily automated with a script that usually only takes a few seconds to execute. I also found a second (less severe) impersonation attack involving the injection of a delimiter character.

This talk will explain the LTPA protocol and its cryptographic flaws. I will show how these can be exploited by taking advantage of a parser implementation and an implementation bug, leading to a practical impersonation attack against applications using the WebSphere Liberty and Open Liberty web servers.