43 research outputs found
Recommended from our members
Mitigating CSRF attacks on OAuth 2.0 Systems
Many millions of users routinely use Google, Facebook and Microsoft to log in to websites supporting OAuth 2.0 and/or OpenID Connect. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance. Unfortunately, as previous studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to crosssite request forgery (CSRF) attacks. In this paper we propose a new and practical technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect. Index Terms-OAuth 2.0, OpenID Connect, CSRF
Recommended from our members
Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks
Analysing the Security of Google's implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to
relying party (RP) websites supporting the Google OpenID Connect service.
OpenID Connect, a newly standardised single-sign-on protocol, builds an
identity layer on top of the OAuth 2.0 protocol, which has itself been widely
adopted to support identity management services. It adds identity management
functionality to the OAuth 2.0 system and allows an RP to obtain assurances
regarding the authenticity of an end user. A number of authors have analysed
the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in
practice remains an open question. We report on a large-scale practical study
of Google's implementation of OpenID Connect, involving forensic examination of
103 RP websites which support its use for sign-in. Our study reveals serious
vulnerabilities of a number of types, all of which allow an attacker to log in
to an RP website as a victim user. Further examination suggests that these
vulnerabilities are caused by a combination of Google's design of its OpenID
Connect service and RP developers making design decisions which sacrifice
security for simplicity of implementation. We also give practical
recommendations for both RPs and OPs to help improve the security of real world
OpenID Connect systems
Automated Security Testing for Identity Management of Large-scale Digital Infrastructures
Ensuring the security of an organization's digital assets against cyber threats is critical in today's technology-driven world. Regular security testing is one of the measures that can help assess the effectiveness of security controls, identify vulnerabilities, and strengthen the overall cybersecurity posture. Identity Management (IdM) protocols such as Security Assertion Markup Language 2.0, OpenID Connect, and OAuth 2.0 play a crucial role in protecting against identity theft, fraud, and security breaches. Also, following the Best Current Practices introduced by the standards to enhance the security of IdM protocols is essential to minimize the risk of unauthorized access, data breaches, and other security threats and to maintain compliance with regulatory requirements, and build trust with users and stakeholders. However, deploying these protocols can be challenging due to the complexity in designing, developing and implementing cryptographic mechanisms. The implementation of IdM protocols encounters three significant obstacles: fragmented security information, rapidly evolving threat environment, and the need for a controlled testing environment. Security testers must stay up-to-date with emerging threats and establish an appropriate testing infrastructure to guarantee the security and robustness of IdM implementations, while also minimizing the possibility of security incidents that could adversely affect operations. Automated security testing plays a crucial role in addressing security concerns, particularly as the intricate functional aspects of IdM solutions contribute to their complexity. It is essential to prioritize automation to bridge the cybersecurity skills gap among IT professionals.
In this thesis, we propose Micro-Id-Gym (MIG), a framework that offers (i) an easy way to configure and reproduce the IdM production environment in a sandbox, allowing hands-on experiences with potentially impactful security tests that may winder availability of services and (ii) automatic security testing of IdM implementations together with suggestions for mitigations to avoid identified vulnerabilities. MIG provides a set of security testing tools for creating, executing, and analyzing security test cases through MIG-L, a declarative test specification language. We have evaluated the effectiveness of MIG by conducting experiments to assess the accuracy in supporting detection of relevant vulnerabilities in the implementation of IdM protocols. We utilized MIG to conduct security analyses across various corporate scenarios and projects, identifying vulnerabilities and responsibly disclosing them through bug bounty programs. Our findings were recognized by the providers, who awarded us both monetary compensation and public recognition. Overall, MIG can help organizations establish a robust and agile security testing strategy, supported by suitable infrastructure and testing procedures, that can ensure the security and resilience of their IdM implementations
Resilient Risk based Adaptive Authentication and Authorization (RAD-AA) Framework
In recent cyber attacks, credential theft has emerged as one of the primary
vectors of gaining entry into the system. Once attacker(s) have a foothold in
the system, they use various techniques including token manipulation to elevate
the privileges and access protected resources. This makes authentication and
token based authorization a critical component for a secure and resilient cyber
system. In this paper we discuss the design considerations for such a secure
and resilient authentication and authorization framework capable of
self-adapting based on the risk scores and trust profiles. We compare this
design with the existing standards such as OAuth 2.0, OpenID Connect and SAML
2.0. We then study popular threat models such as STRIDE and PASTA and summarize
the resilience of the proposed architecture against common and relevant threat
vectors. We call this framework as Resilient Risk based Adaptive Authentication
and Authorization (RAD-AA). The proposed framework excessively increases the
cost for an adversary to launch and sustain any cyber attack and provides
much-needed strength to critical infrastructure. We also discuss the machine
learning (ML) approach for the adaptive engine to accurately classify
transactions and arrive at risk scores
OAuthGuard:Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
Millions of users routinely use Google to log in to websites supporting OAuth
2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is
therefore of critical importance. As revealed in previous studies, in practice
RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and
OpenID Connect systems are vulnerable to attack. However, users of such flawed
systems are typically unaware of these issues, and so are at risk of attacks
which could result in unauthorised access to the victim user's account at an
RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0
and OpenID Connect vulnerability scanner and protector, that works with RPs
using Google OAuth 2.0 and OpenID Connect services. It protects user security
and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect
correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting
Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect
security and privacy vulnerabilities, of which one has not previously been
described in the literature. Of the 137 sites in our study that employ Google
Sign-in, 69 were found to suffer from at least one serious vulnerability.
OAuthGuard was able to protect user security and privacy for 56 of these 69
RPs, and for the other 13 was able to warn users that they were using an
insecure implementation.Comment: 20 pages, 6 figures. arXiv admin note: substantial text overlap with
arXiv:1801.0798
WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring
We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability
PRIVACY ISSUES IN ONLINE SOCIAL NETWORKS: USER BEHAVIORS AND THIRD-PARTY APPLICATIONS
In contemporary society, social networking websites has developed dramatically and became an indispensable component in our daily life. Since it can help create a more feature-rich online social community, third-party service has been widely adopted in online social networks (OSNs). Integrating these third-party sites and applications has not only extended business of both social network server and third party and but also promises to break down the garden walls of social-networking sites. While at the same time it dramatically raises concerns on privacy leakage. This article mainly focuses on the privacy disclosure issues caused by user’s behavior and third-party applications and websites. On the one hand, because of the diversity of usage behaviors, the revelation of personal information varies significantly. A survey is conducted to present empirical and quantitative result. On the other hand, the access mechanism between OSN and third party is not perfect enough. Besides, it could be a potential source of privacy leak that third-party services sometimes act as advertisers and information aggregators of a user\u27s traversals. The relevant reasons and internal and external threats are presented. Finally, possible solutions to reduce the increasing information disclosure are provided. Actions should be taken along three fronts: the government, the users themselves as well as the third parties