Full Report
A look inside the reverse-engineering journey of building the first RDP client outside of Windows to support WebAuthn redirection. The post How We Added WebAuthn to a Browser-Based RDP Client appeared first on Unit 42.
Analysis Summary
# Research: How We Added WebAuthn to a Browser-Based RDP Client
## Metadata
- **Authors:** Gili Lev-Ran and Lior Arviv
- **Institution:** Palo Alto Networks – Unit 42
- **Publication:** Unit 42 Blog
- **Date:** May 1, 2024 (Original publication date)
## Abstract
This research documents the reverse-engineering process required to implement WebAuthn redirection within a non-Windows, browser-based Remote Desktop Protocol (RDP) client. While Windows-to-Windows RDP has natively supported WebAuthn since 2022, the protocol specifications remained undocumented for third-party developers. The authors successfully mapped the communication between the RDP server and the client's virtual channels to enable hardware-backed passwordless authentication in a cross-platform environment.
## Research Objective
The primary objective was to enable WebAuthn (FIDO2) support in a web-based RDP client. This addresses the challenge of providing secure, hardware-token-based authentication for remote sessions without requiring a native Windows client or a specific local USB redirection driver.
## Methodology
### Approach
The researchers employed a "black-box" reverse-engineering strategy:
1. **Traffic Analysis:** Monitoring communication between a native Windows RDP client and server to identify how WebAuthn data is encapsulated.
2. **API Hooking:** Intercepting calls to `webauthn.dll` and `vault.dll` on the Windows host to observe data transformation.
3. **Virtual Channel Mapping:** Identifying the specific RDP Static Virtual Channel used for WebAuthn (the `rdpdr` channel).
4. **Protocol Reconstruction:** Rebuilding the packet structures for the `MSG_ID_WA_FORWARD_PACKET` message type.
### Dataset/Environment
- **Server:** Windows 11 / Windows Server 2022 (supporting WebAuthn redirection).
- **Client:** A custom browser-based RDP client.
- **Hardware:** YubiKey and other FIDO2-compliant authenticators.
### Tools & Technologies
- **Wireshark:** For capturing and analyzing network traffic.
- **RDP protocol analyzers:** To dissect RDP-specific PDU (Protocol Data Unit) structures.
- **FIDO2/WebAuthn APIs:** To interface with the browser's native hardware access.
## Key Findings
### Primary Results
1. **Discovery of the Redirection Mechanism:** WebAuthn does not use a new channel; it leverages the existing **Device Redirection Virtual Channel (`rdpdr`)**.
2. **Specific Message ID:** The researchers identified `0x5741` ("WA" in ASCII) as the header for WebAuthn-related packets.
3. **Cross-Platform Feasibility:** Demonstrated that browser-based clients can act as WebAuthn "authenticators" for remote Windows sessions by proxying requests to the local browser’s `navigator.credentials` API.
### Novel Contributions
- **First Non-Windows Implementation:** The research resulted in the first known RDP client outside the Windows ecosystem to successfully redirect WebAuthn.
- **Documenting the Undocumented:** Provided a structural breakdown of the WebAuthn redirection packet, which was omitted from official Microsoft MSDN documentation (MS-RDPEFS).
## Technical Details
The implementation relies on intercepting the `Device I/O Request` from the RDP server. When a remote application requests WebAuthn:
- The server sends a packet via the `rdpdr` channel.
- The header is identified by the `Component` field `0x4452` and `PacketId` `0x5741`.
- The payload is an encoded WebAuthn request (e.g., `makeCredential` or `getAssertion`).
- The client parses this payload, invokes the browser’s **WebAuthn API**, collects the hardware token's response, and wraps it back into an RDP-compliant response packet to be sent back to the server.
## Practical Implications
### For Security Practitioners
- **Passwordless Adoption:** This allows organizations to move away from passwords even for legacy applications accessed via web-based RDP portals.
- **Reduced Surface Area:** Eliminates the need for complex and often insecure USB-over-IP redirection for smart cards/security keys.
### For Defenders
- **Enhanced Visibility:** Understanding that WebAuthn travels over the `rdpdr` channel allows defenders to monitor or restrict WebAuthn redirection via Group Policy if necessary.
- **Phishing Resistance:** Implementation supports the use of hardware-bound keys in remote sessions, significantly mitigating session hijacking and phishing risks.
### For Researchers
- Opens the door for further exploration into other "Virtual Channel" extensions that Microsoft has added but not yet fully documented.
## Limitations
- **Encryption Overheads:** Because the WebAuthn requests are nested inside RDP's own encryption and virtual channels, debugging requires significant effort to decrypt the stream.
- **Dependency on Browser Support:** The efficacy of the solution is tied to the local browser’s ability to interface correctly with the hardware token.
## Comparison to Prior Work
Previously, WebAuthn redirection was exclusive to the **Microsoft Remote Desktop** client on Windows. While open-source projects like FreeRDP have implemented various virtual channels, WebAuthn support was a "missing link" due to the lack of protocol specifications. This research fills that gap by providing the necessary packet structures.
## Real-world Applications
- **Clientless VPN/ZTNA:** Integrating WebAuthn into browser-based access gateways (like Palo Alto Networks Prisma Access or Apache Guacamole).
- **Secure DevOps:** Allowing developers to access remote build servers using their hardware security keys without installing native clients.
## Future Work
- Improving the integration with different hardware types (e.g., Biometrics/Windows Hello).
- Exploring if similar redirection can be applied to other authentication protocols (e.g., Passkeys) within the RDP context.
## References
1. Microsoft documentation: [MS-RDPEFS]: Remote Desktop Protocol: File System Virtual Channel Extension.
2. FIDO Alliance: Web Authentication (WebAuthn) Specification.
3. Unit 42 Technical Blog: `https://unit42.paloaltonetworks[.]com/webauthn-added-to-browser-based-rdp/`