A comprehensive formal security analysis of OAuth 2.0

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 24-28-October-2016, Issue , 2016, Pages 1204-1215

  Fett, Daniel ^a   Küsters, Ralf ^a   Schmitz, Guido ^a  

^a UNIVERSITY OF TRIER   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

FORMAL METHODS;

BEST PRACTICES; FORMAL ANALYSIS; FORMAL DEFINITION; FORMAL SECURITY ANALYSIS; IDENTITY PROVIDERS; MODEL AND ANALYSIS; RESOURCE OWNERS; WEB FEATURES;

AUTHENTICATION;

EID: 84995458933     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2976749.2978385     Document Type: Conference Paper

References (39)

1. M. Abadi and C. Fournet. Mobile Values, New Names, and Secure Communication. In POPL 2001, pages 104-115. ACM Press, 2001.
2. D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a Formal Foundation of Web Security. In CSF 2010, pages 290-304. IEEE Computer Society, 2010.
3. A. Armando, R. Carbone, L. Compagna, J. Cuéllar, G. Pellegrino, and A. Sorniotti. An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations. Computers & Security, 33:41-58, 2013. Elsevier, 2013.
4. A. Armando, R. Carbone, L. Compagna, J. Cuéllar, and M. L. Tobarra. Formal Analysis of SAML 2.0 Web Browser Single Sign-on: Breaking the SAML-based Single Sign-on for Google Apps. In FMSE 2008, pages 1-10. ACM, 2008.
5. C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis. Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage. In POST 2013, volume 7796 of LNCS, pages 126-146. Springer, 2013.
6. C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis. Discovering Concrete Attacks on Website Authorization by Formal Analysis. Journal of Computer Security, 22(4):601-657, 2014. IOS Press, 2014.
7. A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In CCS 2008, pages 75-88. ACM, 2008.
8. J. Bradley, T. Lodderstedt, and H. Zandbelt. Encoding claims in the OAuth 2 state parameter using a JWT - draft-bradley-oauth-jwt-encoded-state-05. IETF. Dec. 2015. https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-05.
9. S. Chari, C. S. Jutla, and A. Roy. Universally Composable Security Analysis of OAuth v2.0. IACR Cryptology ePrint Archive, 2011:526, 2011.
10. E. Y. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. OAuth Demystified for Mobile Application Developers. In CCS 2014, pages 892-903, 2014.
11. Chromium Project. HSTS Preload Submission. https://hstspreload.appspot.com/.
12. Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014. http://www.w3.org/TR/2014/REC-cors-20140116/.
13. J. Eisinger and E. Stark. Referrer Policy - Editor's Draft, 28 March 2016. W3C. Mar. 2016. https://w3c.github.io/webappsec-referrer-policy/.
14. D. Fett, R. Küsters, and G. Schmitz. An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System. In S&P 2014, pages 673-688. IEEE Computer Society, 2014.
15. D. Fett, R. Küsters, and G. Schmitz. Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web. In ESORICS 2015, volume 9326 of LNCS, pages 43-65. Springer, 2015.
16. D. Fett, R. Küsters, and G. Schmitz. SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web. In CCS 2015, pages 1358-1369. ACM, 2015.
17. D. Fett, R. Küsters, and G. Schmitz. A Comprehensive Formal Security Analysis of OAuth 2.0. Technical Report arXiv:1601.01229, arXiv, 2016. Available at http://arxiv.org/abs/1601.01229.
18. R. Fielding (ed.) and J. Reschke (ed.). RFC7231 - Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. IETF. Jun. 2014. https://tools.ietf.org/html/rfc7231.
19. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, and L. Stewart. RFC2617 - HTTP Authentication: Basic and Digest Access Authentication. IETF. Jun. 1999. https://tools.ietf.org/html/rfc2617.
20. D. Hardt (ed.). RFC6749 - The OAuth 2.0 Authorization Framework. IETF. Oct. 2012. https://tools.ietf.org/html/rfc6749.
21. E. Homakov. How I hacked Github again, 7 February 2014. http://homakov. blogspot.de/2014/02/how-i-hacked-github-again. html.
22. M. Jones, J. Bradley, and N. Sakimura. OAuth 2.0 Mix-Up Mitigation - draft-ietf-oauth-mix-up-mitigation-01. IETF. Jul. 2016. https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01.
23. F. Kerschbaum. Simple Cross-Site Attack Prevention. In SecureComm 2007, pages 464-472. IEEE Computer Society, 2007.
24. A. Kumar. Using automated model analysis for reasoning about security of web protocols. In ACSAC 2012. ACM, 2012.
25. W. Li and C. J. Mitchell. Security issues in OAuth 2.0 SSO implementations. In ISC 2014, volume 8783 of LNCS, pages 529-541, 2014. Springer, 2014.
26. T. Lodderstedt (ed.), M. McGloin, and P. Hunt. RFC6819 - OAuth 2.0 Threat Model and Security Considerations. IETF. Jan. 2013. https://tools.ietf.org/html/rfc6819.
27. V. Mladenov, C. Mainka, J. Krautwald, F. Feldmann, and J. Schwenk. On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect. CoRR, abs/1508.04324v2, 2016.
28. Open Web Application Security Project (OWASP). Session fixation. https://www.owasp.org/index.php/Session-Fixation.
29. S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. Formal Verification of OAuth 2.0 Using Alloy Framework. In CSNT 2011, pages 655-659. IEEE, 2011.
30. J. Richer (ed.). RFC7662 - OAuth 2.0 Token Introspection. IETF. Oct. 2015. https://tools.ietf.org/html/rfc7662.
31. N. Sakimura, J. Bradley, M. Jones, B. de Medeiros, and C. Mortimore. OpenID Connect Core 1.0 incorporating errata set 1. OpenID Foundation. Nov. 8, 2014. http://openid.net/specs/openid-connect-core-1-0.html.
32. J. Selvi. Bypassing HTTP Strict Transport Security. In Blackhat (Europe) 2014, 2014.
33. M. Shehab and F. Mohsen. Towards Enhancing the Security of OAuth Implementations in Smart Phones. In IEEE MS 2014. IEEE, 2014.
34. E. Shernan, H. Carter, D. Tian, P. Traynor, and K. R. B. Butler. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In DIMVA 2015, volume 9148 of LNCS, pages 239-260. Springer, 2015.
35. SimilarTech. Facebook Connect Market Share and Web Usage Statistics. Last visited Nov. 7, 2015. https://www.similartech.com/technologies/facebook-connect.
36. S.-T. Sun and K. Beznosov. The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. In CCS 2012, pages 378-390. ACM, 2012.
37. R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In USENIX Security 2013, pages 399-314. USENIX Association, 2013.
38. R. Yang, G. Li, W. C. Lau, K. Zhang, and P. Hu. Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations. In AsiaCCS 2016, pages 651-662. ACM, 2016.
39. X. Zheng, J. Jiang, J. Liang, H. Duan, S. Chen, T. Wan, and N. Weaver. Cookies Lack Integrity: Real-World Implications. In USENIX Security 2015), pages 707-721, 2015. USENIX Association, 2015.