25 research outputs found
Recommended from our members
Mitigating CSRF attacks on OAuth 2.0 Systems
Many millions of users routinely use Google, Facebook and Microsoft to log in to websites supporting OAuth 2.0 and/or OpenID Connect. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance. Unfortunately, as previous studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to crosssite request forgery (CSRF) attacks. In this paper we propose a new and practical technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect. Index Terms-OAuth 2.0, OpenID Connect, CSRF
Analysing the Security of Google's implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to
relying party (RP) websites supporting the Google OpenID Connect service.
OpenID Connect, a newly standardised single-sign-on protocol, builds an
identity layer on top of the OAuth 2.0 protocol, which has itself been widely
adopted to support identity management services. It adds identity management
functionality to the OAuth 2.0 system and allows an RP to obtain assurances
regarding the authenticity of an end user. A number of authors have analysed
the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in
practice remains an open question. We report on a large-scale practical study
of Google's implementation of OpenID Connect, involving forensic examination of
103 RP websites which support its use for sign-in. Our study reveals serious
vulnerabilities of a number of types, all of which allow an attacker to log in
to an RP website as a victim user. Further examination suggests that these
vulnerabilities are caused by a combination of Google's design of its OpenID
Connect service and RP developers making design decisions which sacrifice
security for simplicity of implementation. We also give practical
recommendations for both RPs and OPs to help improve the security of real world
OpenID Connect systems
OAuthGuard:Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
Millions of users routinely use Google to log in to websites supporting OAuth
2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is
therefore of critical importance. As revealed in previous studies, in practice
RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and
OpenID Connect systems are vulnerable to attack. However, users of such flawed
systems are typically unaware of these issues, and so are at risk of attacks
which could result in unauthorised access to the victim user's account at an
RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0
and OpenID Connect vulnerability scanner and protector, that works with RPs
using Google OAuth 2.0 and OpenID Connect services. It protects user security
and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect
correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting
Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect
security and privacy vulnerabilities, of which one has not previously been
described in the literature. Of the 137 sites in our study that employ Google
Sign-in, 69 were found to suffer from at least one serious vulnerability.
OAuthGuard was able to protect user security and privacy for 56 of these 69
RPs, and for the other 13 was able to warn users that they were using an
insecure implementation.Comment: 20 pages, 6 figures. arXiv admin note: substantial text overlap with
arXiv:1801.0798
Resilient Risk based Adaptive Authentication and Authorization (RAD-AA) Framework
In recent cyber attacks, credential theft has emerged as one of the primary
vectors of gaining entry into the system. Once attacker(s) have a foothold in
the system, they use various techniques including token manipulation to elevate
the privileges and access protected resources. This makes authentication and
token based authorization a critical component for a secure and resilient cyber
system. In this paper we discuss the design considerations for such a secure
and resilient authentication and authorization framework capable of
self-adapting based on the risk scores and trust profiles. We compare this
design with the existing standards such as OAuth 2.0, OpenID Connect and SAML
2.0. We then study popular threat models such as STRIDE and PASTA and summarize
the resilience of the proposed architecture against common and relevant threat
vectors. We call this framework as Resilient Risk based Adaptive Authentication
and Authorization (RAD-AA). The proposed framework excessively increases the
cost for an adversary to launch and sustain any cyber attack and provides
much-needed strength to critical infrastructure. We also discuss the machine
learning (ML) approach for the adaptive engine to accurately classify
transactions and arrive at risk scores
Automated Security Testing for Identity Management of Large-scale Digital Infrastructures
Ensuring the security of an organization's digital assets against cyber threats is critical in today's technology-driven world. Regular security testing is one of the measures that can help assess the effectiveness of security controls, identify vulnerabilities, and strengthen the overall cybersecurity posture. Identity Management (IdM) protocols such as Security Assertion Markup Language 2.0, OpenID Connect, and OAuth 2.0 play a crucial role in protecting against identity theft, fraud, and security breaches. Also, following the Best Current Practices introduced by the standards to enhance the security of IdM protocols is essential to minimize the risk of unauthorized access, data breaches, and other security threats and to maintain compliance with regulatory requirements, and build trust with users and stakeholders. However, deploying these protocols can be challenging due to the complexity in designing, developing and implementing cryptographic mechanisms. The implementation of IdM protocols encounters three significant obstacles: fragmented security information, rapidly evolving threat environment, and the need for a controlled testing environment. Security testers must stay up-to-date with emerging threats and establish an appropriate testing infrastructure to guarantee the security and robustness of IdM implementations, while also minimizing the possibility of security incidents that could adversely affect operations. Automated security testing plays a crucial role in addressing security concerns, particularly as the intricate functional aspects of IdM solutions contribute to their complexity. It is essential to prioritize automation to bridge the cybersecurity skills gap among IT professionals.
In this thesis, we propose Micro-Id-Gym (MIG), a framework that offers (i) an easy way to configure and reproduce the IdM production environment in a sandbox, allowing hands-on experiences with potentially impactful security tests that may winder availability of services and (ii) automatic security testing of IdM implementations together with suggestions for mitigations to avoid identified vulnerabilities. MIG provides a set of security testing tools for creating, executing, and analyzing security test cases through MIG-L, a declarative test specification language. We have evaluated the effectiveness of MIG by conducting experiments to assess the accuracy in supporting detection of relevant vulnerabilities in the implementation of IdM protocols. We utilized MIG to conduct security analyses across various corporate scenarios and projects, identifying vulnerabilities and responsibly disclosing them through bug bounty programs. Our findings were recognized by the providers, who awarded us both monetary compensation and public recognition. Overall, MIG can help organizations establish a robust and agile security testing strategy, supported by suitable infrastructure and testing procedures, that can ensure the security and resilience of their IdM implementations
Recommended from our members
Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks
WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring
We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability
Modelling escalation of attacks in federated identity management
PhD ThesisFederated Identity Management (FIM) is an increasingly prevalent method for authenticating
users online. FIM offloads the authentication burden from a Service Provider (SP) to an Identity
Provider (IdP) that the SP trusts. The different entities involved in the FIM process are referred
to as stakeholders. The benefits of FIM to stakeholders are clear, such as the ability for users to
use Single Sign-On. However, the security of FIM also has to be evaluated. Attacks on one point in
a FIM system can lead to other attacks being possible, and detecting those attacks can be hard just
from modelling the functionality of the FIM system. Attacks in which the effect of one attack can
become the cause for another attack are referred to in this thesis as escalating attacks. The
overall research question this thesis revolves around: how can we model escalating attacks to
detect attacks which are possible through an adversary first launching another attack, and present
causality of attacks to the FIM stakeholders involved?
This thesis performs a survey of existing attacks in FIM. We categorise attacks on FIM using a
taxonomy of our own design. This survey is the first attempt at categorising attacks that target
FIM using a taxonomy. Some attacks can have an effect that causes another attack to be possible in
ways that are difficult to predict. We consider a case study involving OAuth 2.0 (provided by
existing literature), as a basis for modelling attack escalation.
We then seek to present a language for modelling FIM systems and attacker manipulations on those
systems. We find that FIM systems can be generalised for the purpose of a programmatic logical
analysis. In addition, attacker manipulations on a system can be broken down using an existing
conceptual framework called Malicious and Accidental Fault Tolerance (MAFTIA).
Using a generalised FIM system model and MAFTIA, we can express a complex interlinking of attacks
informed by case studies in FIM security analysis. This is the first attempt to model FIM systems
generally and apply logical analysis to that model.
Finally, we show how causality of attacks can be analysed using attack trees. We find that any
solutions to an escalating attack can be expressed using a tree model which conforms to existing
research on attack trees. Our approach is the first attempt of modelling attacks on FIM systems
through the use of attack trees. We consider stakeholder attribution and cost analysis as concrete
methods for analysing attack trees