Security Issues in OAuth 2.0 SSO Implementations
作者: Wanpeng Li , Chris J. Mitchell
DOI: 10.1007/978-3-319-13257-0_34
关键词:
摘要: Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. sites support five or more different identity providers, giving users choice in their trust point. However, although has been widely implemented (particularly China), little attention paid security practice. In this paper we report on detailed study implementation ten major providers and 60 relying parties, all based China. This reveals two critical vulnerabilities present many implementations, both allowing an attacker control victim user’s accounts at party without knowing account name password. We provide simple, practical recommendations parties enable them mitigate these vulnerabilities. The have reported concerned.
springer.com
core.ac.uk
elsevier.com
abdn.ac.uk
chrismitchell.net 
sci-hub.st 参考文章(17)
Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens, Automatic and Precise Client-Side Protection against CSRF Attacks Computer Security – ESORICS 2011. pp. 100- 116 ,(2011) , 10.1007/978-3-642-23822-2_6
R. Canetti, Universally composable security: a new paradigm for cryptographic protocols international conference on cluster computing. pp. 136- 145 ,(2001) , 10.1109/SFCS.2001.959888
Steven Carmody, R L. Morgan, Walter Hoehn, Ken Klingenstein, Scott Cantor, Federated Security: The Shibboleth Approach Educause Quarterly. ,vol. 27, pp. 12- 17 ,(2004)
David L. Dill, The Murphi Verification System computer aided verification. pp. 390- 393 ,(1996)
Joseph Bonneau, Mike Just, Greg Matthews, What's in a name? Evaluating statistical attacks on personal knowledge questions financial cryptography. pp. 98- 113 ,(2010) , 10.1007/978-3-642-14577-3_10
Ziqing Mao, Ninghui Li, Ian Molloy, Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection Financial Cryptography and Data Security. ,vol. 5628, pp. 238- 255 ,(2009) , 10.1007/978-3-642-03549-4_15
Adam Barth, Collin Jackson, John C. Mitchell, Robust defenses for cross-site request forgery Proceedings of the 15th ACM conference on Computer and communications security - CCS '08. pp. 75- 88 ,(2008) , 10.1145/1455770.1455782
Rui Wang, Shuo Chen, XiaoFeng Wang, Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services ieee symposium on security and privacy. pp. 365- 379 ,(2012) , 10.1109/SP.2012.30
Suhas Pai, Yash Sharma, Sunil Kumar, Radhika M Pai, Sanjay Singh, None, Formal Verification of OAuth 2.0 Using Alloy Framework 2011 International Conference on Communication Systems and Network Technologies. pp. 655- 659 ,(2011) , 10.1109/CSNT.2011.141
Dick Hardt, The OAuth 2.0 Authorization Framework RFC. ,vol. 6749, pp. 1- 76 ,(2012)