Wanpeng Li,Chris J Mitchell,Thomas Chen

DOI: https://doi.org/10.48550/arXiv.1901.08960

2019-01-25

Abstract:Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.

Cryptography and Security

Swarag Sharma,Jevitha Kp

DOI: https://doi.org/10.1109/i-PACT58649.2023.10434479

2023-12-08

Abstract:Many users all over the world routinely use open authentication and authorization providers based on OAuth 2.0 framework such as Google, Facebook etc. to sign in to third-party websites (relying party). The authentication (OpenID connect) and authorization (OAuth) protocol based on OAuth 2.0 framework enables the relying party application to authenticate its users and gain access to their protected resources without storing any of the sensitive user credentials such as usernames and passwords. Hence, the implementation of these protocols by the relying parties and identity providers play an important role in security of the user information and their privacy. The risk of attacks on improper implementation of these protocols can cause unauthorized access to the user accounts. In this work, we focused on testing the OAuth implementations done by the relying parties. For the secure implementation of OAuth 2.0 we found that following parameters must be present while generating OAuth request: client_id, state, response_type, redirect_uri and scope. We have analyzed our work with around 75 websites that were using Google as an identity provider to provide access to its users. Out of 75 relying parties, 30% were found vulnerable to CSRF attack due to missing state parameter, 13% used implicit flow which reveals id_token or access_token in the OAuth URL and 2% had secret parameters in OAuth URL. We developed a browser extension which successfully identify and alert its user on these issues.

Computer Science

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

San-Tsai Sun

Abstract:Social login is currently used by millions of Facebook users to sign in more than one million supporting websites. The protocol behinds this web-based single sign-on (SSO) scheme is OAuth 2.0, which is also adopted by major service providers such as Google and Microsoft. Several formal methods have been used to analyze the security of the OAuth protocol, but no novel threat is found. To understand and improve the security of OAuth 2.0 SSO systems in the real-world settings, this work investigates potential security threats by examining the implementations of three major identity providers (i.e., Facebook, Microsoft and Google) and about one hundred popular supporting websites listed on Google Top 1,000 Websites. Our analysis and evaluation found several systematic weaknesses that allow an attacker to gain unauthorized access to the victim user’s profile and social graph on the identity providers, as well as impersonating the victim on the supporting website. A further investigation found that those weaknesses are rooted from a set of simplicity features o↵ered by the design of the protocol and IdP implementations. Based on the insights from this analysis, we recommend practical countermeasures to mitigate the uncovered threats.

Computer Science

Hui Wang,Yuanyuan Zhang,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1145/2991079.2991105

2016-01-01

Abstract:Websites and mobile applications today increasingly utilize OAuth for authorization and authentication. Major companies such as Facebook, Google and Twitter all provide OAuth services. The usage of OAuth for authorization is well documented and has been studied by many researchers. However, little work has been done to specify or analyze the usage of OAuth for authentication. Given that many developers have employed OAuth for authentication on multiple platforms, we believe it is imperative to conduct a study to understand how developers customize OAuth for authentication on different platforms. In this paper, we analyze how popular applications on the Web, Android and iOS platform authenticate users with OAuth. Our approach is to dissect the traffic from an attacker's perspective to recover the authentication mechanisms employed by the apps and identify exploitable vulnerabilities. The results show that OAuth-based authentication mechanisms employed by these applications lack sufficient verification and suffer from many vulnerabilities. Closer examination reveals that developers have different tendencies to authenticate users with OAuth on different platforms, and 32.9%, 47.1% and 41.6% of the analyzed mechanisms on the three platforms are vulnerable. We then categorize the root causes of these vulnerabilities and make practical recommendations for developers to help design and implement robust authentication mechanisms with OAuth.

Shun Wang,Chao Ni,Jianbo Wang,Changhai Nie

DOI: https://doi.org/10.1109/issrew55968.2022.00043

2022-01-01

Abstract:Cross-Site Request Forgery (CSRF) vulnerabilities are severe web vulnerabilities since their characteristics of extreme concealment and heavy harmfulness. However, they have received marginal attention from both the academic and the industry and the detection and protection of CSRF vulnerabilities are still performed predominantly manually. This paper proposes CSRFSolver for API-level CSRF detection and protection with two components: CSRF detector and CSRF defender. The former helps to identify and locate CSRF points where they need CSRF protection, and the latter provides CSRF protection by generating and verifying CSRFToken. We evaluate the effectiveness and efficiency of CSRFSolver on Cisco Webex public URL APIs with the state-of-the-art method. The results indicate that CSRFSolver can effectively and efficiently protect the system from CSRF attacks and have no side effects on systems' functionality. Meanwhile, the practical usefulness of CSRFSolver has also been verified through four years of deployment in Cisco Webex.

Rong Fan,Dao-jing He,Xue-zeng Pan,Ling-di Ping

DOI: https://doi.org/10.1631/jzus.c1000377

2011-01-01

Abstract:Wireless sensor networks (WSNs) are vulnerable to security attacks due to their deployment and resource constraints. Considering that most large-scale WSNs follow a two-tiered architecture, we propose an efficient and denial-of-service (DoS)-resistant user authentication scheme for two-tiered WSNs. The proposed approach reduces the computational load, since it performs only simple operations, such as exclusive-OR and a one-way hash function. This feature is more suitable for the resource-limited sensor nodes and mobile devices. And it is unnecessary for master nodes to forward login request messages to the base station, or maintain a long user list. In addition, pseudonym identity is introduced to preserve user anonymity. Through clever design, our proposed scheme can prevent smart card breaches. Finally, security and performance analysis demonstrates the effectiveness and robustness of the proposed scheme.

Christian Mainka,Vladislav Mladenov,Jörg Schwenk

DOI: https://doi.org/10.48550/arXiv.1412.1623

2014-12-04

Abstract:Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues.

Cryptography and Security

Ya-ou LIU,Liu-sheng HUANG,Hong-li XU,Chen-kai YANG

2017-01-01

Abstract:OAuth is an open standard for authorization based on Web,which has been widely used in many Web-based applications.However,it appears to face many challenges when applied in WoT architecture.On one hand,as the user in the OAuth scenarios can not be the owner of parts of the resource and the user of other resources at the same time,OAuth can not fit into the multi-role user in WoT architecture.On the other hand,OAuth doesn't provide flow control whereas the provider of the resource need to control the flow to prevent users from malicious access in WoT architecture.The newly proposed resource access control method for the multiroles user in WoT architecture resolves the problem that OAuth doesn't fit into the case that the user has multiply roles,and it can control the flow at the same time.

Ao Zhang,Xiaoying Bai

DOI: https://doi.org/10.1007/978-981-15-2777-7_22

2019-01-01

Abstract:With the development of digital society, the number of Internet platforms increases rapidly and a huge amount of personal information is stored online. It is convenient for users to log in to all platforms with a common account. Third-party authorization protocols like OAuth 2.0 allow the delegation of access control to dedicated service providers. However, OAuth protocol follows the centralized approach to manage authorization and authentication information, which relies on a centralized party and makes it a target under attack. In practice, it is vulnerable to attacks like replay attack, cross-site request forgery (CSRF) attack, and so on. Also, the centralized party cannot provide customized access control for other platforms. To solve these problems, the paper proposes a consortium blockchain architecture and designs protocols for account management and distributed consensus. The paper discusses the potentials of the proposed approach to effectively address certain vulnerabilities in current OAuth-like authorization and authentication services with tolerable performance.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Kruegel,Giovanni Vigna,Yan Chen

2014-01-01

Abstract:Author(s): Cao, Yinzhi; Shoshitaishvili, Yan; Borgolte, Kevin; Kruegel, Christopher; Vigna, Giovanni; Chen, Yan | Abstract: Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.Single sign-on (SSO) protocols, however, are not immune to vulnerabilities. Recent research introduced several attacks against existing SSO protocols, and further work showed that these problems are prevalent: 6.5% of the investigated relying parties were vulnerable to impersonation attacks, which can lead to account compromises and privacy breaches. Prior work used formal verification methods to identify vulnerabilities in SSO protocols or leveraged invariances of SSO interaction traces to identify logic flaws. No prior work, however, systematically studied the actual root cause of impersonation attacks against the relying party.In this paper, we systematically examine existing SSO protocols and determine the root cause of the aforementioned vulnerabilities: the design of the communication channel between the relying party and the identity provider, which, depending on the protocol and implementation, suffers from being a one-way communication protocol, or from a lack of authentication. We (a) systematically study the weakness responsible for the vulnerabilities in existing protocols that allow impersonation attacks against the relying party, (b) introduce a dedicated, authenticated, bi-directional, secure channel that does not suffer from those shortcomings, (c) formally verify the authentication property of this channel using a well-known cryptographic protocol verifier (ProVerif), and (d) evaluate the practicality of a prototype implementation of our protocol.Ultimately, to support a smooth and painless transition from existing SSO protocols, we introduce a proxy setup in which our channel can be used to secure existing SSO protocols from impersonation attacks. Furthermore, to demonstrate the flexibility of our approach, we design two different SSO protocols: an OAuth-like and an OpenID-like protocol.

Jianjun Chen,Jian Jiang,Haixin Duan,Tao Wan,Shuo Chen,Vern Paxson,Min Yang

2018-01-01

Abstract:The default Same Origin Policy essentially restricts access of cross-origin network resources to be "write-only". However, many web applications require "read" access to contents from a different origin. Developers have come up with workarounds, such as JSON-P, to bypass the default Same Origin Policy restriction. Such adhoc workarounds leave a number of inherent security issues. CORS (cross-origin resource sharing) is a more disciplined mechanism supported by all web browsers to handle cross-origin network access. This paper presents our empirical study about the real-world uses of CORS. We find that the design, implementation, and deployment of CORS are subject to a number of new security issues: 1) CORS relaxes the cross-origin "write" privilege in a number of subtle ways that are problematic in practice; 2) CORS brings new forms of risky trust dependencies into web interactions; 3) CORS is generally not well understood by developers, possibly due to its inexpressive policy and its complex and subtle interactions with other web mechanisms, leading to various misconfigurations. Finally, we propose protocol simplifications and clarifications to mitigate the security problems uncovered in our study. Some of our proposals have been adopted by both CORS specification and major browsers.

Jian-fan WEI,Zhong CHEN,Yun-suo DUAN,Li-fu WANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2005.02.023

2005-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Denial of service has become a major security threat in open communications networks. Authentication and key establishment protocols usually are vulnerable to network DoS attacks. This paper presents a new countermeasure to make authentication protocols without trusted third party resistant against DoS attack. By using this method, the strength of resistance can be adjusted dynamically and most parallel session attacks can be prevented.

Sam Hays,Michael Sandborn,Dr. Jules White

2024-01-22

Abstract:Approximately 61% of cyber attacks involve adversaries in possession of valid credentials. Attackers acquire credentials through various means, including phishing, dark web data drops, password reuse, etc. Multi-factor authentication (MFA) helps to thwart attacks that use valid credentials, but attackers still commonly breach systems by tricking users into accepting MFA step up requests through techniques, such as ``MFA Bombing'', where multiple requests are sent to a user until they accept one. Currently, there are several solutions to this problem, each with varying levels of security and increasing invasiveness on user devices. This paper proposes a token-based enrollment architecture that is less invasive to user devices than mobile device management, but still offers strong protection against use of stolen credentials and MFA attacks.

Cryptography and Security

Giancarlo Pellegrino,Martin Johns,Simon Koch,Michael Backes,Christian Rossow

DOI: https://doi.org/10.48550/arXiv.1708.08786

2017-08-29

Abstract:Cross-Site Request Forgery (CSRF) vulnerabilities are a severe class of web vulnerabilities that have received only marginal attention from the research and security testing communities. While much effort has been spent on countermeasures and detection of XSS and SQLi, to date, the detection of CSRF vulnerabilities is still performed predominantly manually. In this paper, we present Deemon, to the best of our knowledge the first automated security testing framework to discover CSRF vulnerabilities. Our approach is based on a new modeling paradigm which captures multiple aspects of web applications, including execution traces, data flows, and architecture tiers in a unified, comprehensive property graph. We present the paradigm and show how a concrete model can be built automatically using dynamic traces. Then, using graph traversals, we mine for potentially vulnerable operations. Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues. We evaluate the effectiveness of Deemon with 10 popular open source web applications. Our experiments uncovered 14 previously unknown CSRF vulnerabilities that can be exploited, for instance, to take over user accounts or entire websites.

Cryptography and Security

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Krügel,Giovanni Vigna,Yan Chen

DOI: https://doi.org/10.1007/978-3-319-11379-1_14

2014-01-01

Abstract:Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.

Zhi Wang,Xin Yang,Du Chen,Han Gao,Meiqi Tian,Yan Jia,Wanpeng Li

2024-11-18

Abstract:To protect users from data breaches and phishing attacks, service providers typically implement two-factor authentication (2FA) to add an extra layer of security against suspicious login attempts. However, since 2FA can sometimes hinder user experience by introducing additional steps, many websites aim to reduce inconvenience by minimizing the frequency of 2FA prompts. One approach to achieve this is by storing the user's ``Remember the Device'' preference in a cookie. As a result, users are only prompted for 2FA when this cookie expires or if they log in from a new device. To understand and improve the security of 2FA systems in real-world settings, we propose SE2FA, a vulnerability evaluation framework designed to detect vulnerabilities in 2FA systems. This framework enables us to analyze the security of 407 2FA systems across popular websites from the Tranco Top 10,000 list. Our analysis and evaluation found three zero-day vulnerabilities on three service providers that could allow an attacker to access a victim's account without possessing the victim's second authentication factor, thereby bypassing 2FA protections entirely. A further investigation found that these vulnerabilities stem from design choices aimed at simplifying 2FA for users but that unintentionally reduce its security effectiveness. We have disclosed these findings to the affected websites and assisted them in mitigating the risks. Based on the insights from this research, we provide practical recommendations for countermeasures to strengthen 2FA security and address these newly identified threats.

Cryptography and Security

Hui Wang,Yuanyuan Zhang,Juanru Li,Hui Liu,Wenbo Yang,Bodong Li,Dawu Gu

DOI: https://doi.org/10.1145/2818000.2818024

2015-01-01

Abstract:Enforcing security on various implementations of OAuth in Android apps should consider a wide range of issues comprehensively. OAuth implementations in Android apps differ from the recommended specification due to the provider and platform factors, and the varied implementations often become vulnerable. Current vulnerability assessments on these OAuth implementations are ad hoc and lack a systematic manner. As a result, insecure OAuth implementations are still widely used and the situation is far from optimistic in many mobile app ecosystems. To address this problem, we propose a systematic vulnerability assessment framework for OAuth implementations on Android platform. Different from traditional OAuth security analyses that are experiential with a restrictive three-party model, our proposed framework utilizes an systematic security assessing methodology that adopts a five-party, three-stage model to detect typical vulnerabilities of popular OAuth implementations in Android apps. Based on this framework, a comprehensive investigation on vulnerable OAuth implementations is conducted at the level of an entire mobile app ecosystem. The investigation studies the Chinese mainland mobile app markets (e.g., Baidu App Store, Tencent, Anzhi) that covers 15 mainstream OAuth service providers. Top 100 relevant relying party apps (RP apps) are thoroughly assessed to detect vulnerable OAuth implementations, and we further perform an empirical study of over 4,000 apps to validate how frequently developers misuse the OAuth protocol. The results demonstrate that 86.2% of the apps incorporating OAuth services are vulnerable, and this ratio of Chinese mainland Android app market is much higher than that (58.7%) of Google Play.

ZHAO Guofeng,CHEN Yong,WANG Xinheng

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.03.003

2016-01-01

Abstract:This paper discusses the HTTPS protocol communication process, analyzes the basic principles and methods in detail based on forged certiifcates and man in the middle session hijacking. Then it points out that conventional hijacking method through the backend to manipulate the original data lfow and defects, and puts forward a front-end scripting XSS based on injection of more efifcient and more perfect HTTPS session hijacking method, which can realize the hijacking of the form submission, dynamic elements, the script window, and the page frame. Finally it expounds the priciple and process the Web front-end hijacking, builds a prototype system to validate, and makes a further analysis of the HTTPS communication security risks. According to the present situation, it also puts forward feasible preventive measures.

Enze Wang,Jianjun Chen,Wei Xie,Chuhan Wang,Yifei Gao,Zhenhua Wang,Haixin Duan,Yang Liu,Baosheng Wang

DOI: https://doi.org/10.1109/sp54263.2024.00198

2024-01-01

Abstract:Server-Side Request Forgery (SSRF) vulnerability poses significant security risks to web applications, enabling adversaries to exploit web applications as stepping stones for unauthorized access of internal-only services or even performing arbitrary commands. Despite its recent emergence as a distinct category in the 2021 OWASP Top 10 web security risks and its increasing prevalence in modern web applications, there remains a lack of effective approaches to detect SSRF vulnerabilities systematically.We present a novel methodology, SSRFuzz, to effectively identify SSRF vulnerability in PHP web applications. Our methodology consists of three phases. In the initial phase, we designed an SSRF oracle to examine functions in PHP manuals and identify sinks that provide server-side request capabilities. This process yielded a total of 86 sensitive PHP sinks out of 2101 PHP functions. The second stage involves dynamic taint inference and the utilization of the identified sinks to examine the source code of target web applications, pinpointing all feasible input points that could trigger these sinks. The final phase employs fuzzing techniques. We generate testing HTTP requests with SSRF payloads, send them to the previously identified input points within the target web applications, and detect if an SSRF vulnerability is triggered. We implemented a prototype of SSRFuzz and evaluated it on 27 real-world applications, including Joomla and WordPress. In total, we discovered 28 SSRF vulnerabilities, 25 of which were previously unreported. We reported all the vulnerabilities to the affected vendors, and 16 new CVE IDs were assigned.