More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations
作者: Ethan Shernan , Henry Carter , Dave Tian , Patrick Traynor , Kevin Butler
DOI: 10.1007/978-3-319-20550-2_13
关键词: Implementation 、 Cross-site request forgery 、 Computer science 、 Vulnerability 、 Computer security 、 Variety (cybernetics) 、 User agent 、 Identity (object-oriented programming) 、 Internet privacy 、 Identity provider 、 Web application
摘要: … We show that only four out of thirteen such providers force CSRF protections as part of their APIs… that 25 % do not implement standard CSRF protections and appear vulnerable to attack. …
springer.com
henrycarter.org
ufl.edu参考文章(35)
Wanpeng Li, Chris J. Mitchell, Security Issues in OAuth 2.0 SSO Implementations international conference on information security. pp. 529- 541 ,(2014) , 10.1007/978-3-319-13257-0_34
Juraj Somorovsky, Marco Kampmann, Meiko Jensen, Jörg Schwenk, Andreas Mayer, On breaking SAML: be whoever you want to be usenix security symposium. pp. 21- 21 ,(2012)
Anna Vapen, Niklas Carlsson, Anirban Mahanti, Nahid Shahmehri, Third-Party Identity Management Usage on the Web passive and active network measurement. pp. 151- 162 ,(2014) , 10.1007/978-3-319-04918-2_15
Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Sergio Maffeis, Discovering concrete attacks on website authorization by formal analysis Journal of Computer Security. ,vol. 22, pp. 601- 657 ,(2014) , 10.3233/JCS-140503
Deepak Alur, John Crupi, Dan Malks, Core J2EE Patterns: Best Practices and Design Strategies ,(2001)
Ziqing Mao, Ninghui Li, Ian Molloy, Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection Financial Cryptography and Data Security. ,vol. 5628, pp. 238- 255 ,(2009) , 10.1007/978-3-642-03549-4_15
Er. Gurleen Kaur, Er. Deepak Aggarwal, A Survey Paper on Social Sign-On Protocol OAuth 2.0 Journal of Engineering Computers & Applied Sciences. ,vol. 2, pp. 93- 96 ,(2013)
Hiro Gabriel Cerqueira Ferreira, Rafael Timoteo de Sousa, Flavio Elias Gomes de Deus, Edna Dias Canedo, Proposal of a secure, deployable and transparent middleware for Internet of Things iberian conference on information systems and technologies. pp. 1- 4 ,(2014) , 10.1109/CISTI.2014.6877069
Eric Y. Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, Patrick Tague, OAuth Demystified for Mobile Application Developers computer and communications security. pp. 892- 903 ,(2014) , 10.1145/2660267.2660323
Mohammad Nauman, Sohail Khan, Abu Talib Othman, Shahr ulniza Musa, Najeeb Ur Rehman, POAuth Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication - ICUIMC '12. pp. 60- ,(2012) , 10.1145/2184751.2184825