Abstract
OAuth 2.0 provides an open framework for the authorization of users across the web. While the standard enumerates mandatory security protections for a variety of attacks, many embodiments of this standard allow these protections to be optionally implemented. In this paper, we analyze the extent to which one particularly dangerous vulnerability, Cross Site Request Forgery, exists in real-world deployments. We crawl the Alexa Top 10,000 domains, and conservatively identify that 25 % of websites using OAuth appear vulnerable to CSRF attacks. We then perform an in-depth analysis of four high-profile case studies, which reveal not only weaknesses in sample code provided in SDKs, but also inconsistent implementation of protections among services provided by the same company. From these data points, we argue that protection against known and sometimes subtle security vulnerabilities can not simply be thrust upon developers as an option, but instead must be strongly enforced by Identity Providers before allowing web applications to connect.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alexa Internet, Inc.: Alexa top sites (2014). http://www.alexa.com/
Alur, D., Crupi, J., Malks, D.: Core j2ee patterns: best practices and design strategies (2001). http://www.corej2eepatterns.com/Design/PresoDesign.htm
AOL Inc.: Php sample (2014). http://identity.aol.com/documentation/start/oauth2/web-site-integration/php-sample/
Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: Authscan: automatic extraction of web authentication protocols from implementations. In: Proceedings of the Network and Distributed System Security Symposium (2013)
Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: Proceedings of the IEEE Computer Security Foundations Symposium (2012)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the ACM Conference on Computer and Communications Security (2008)
Blizzard Entertainment, Inc.: Using OAuth (2014). https://dev.battle.net/docs/read/oauth
Cao, Y., Shoshitaishvili, Y., Borgolte, K., Kruegel, C., Vigna, G., Chen, Y.: Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 276–298. Springer, Heidelberg (2014)
Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011/526 (2011). http://eprint.iacr.org/
Chen, E., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the ACM Conference on Computer and Communications Security (2014)
Cherrueau, R.-A., Douence, R., Royer, J.C., Südholt, M., de Oliveira, A.S., Roudier, Y., Dell’Amico, M.: Reference monitors for security and interoperability in OAuth 2.0. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W.M. (eds.) DPM 2013. LNCS, vol. 8247, pp. 236–249. Springer, Heidelberg (2014)
Ferreira, H.G.C., de Sousa Junior, R.T., de Deus, F.E.G., Canedo, E.D.: Proposal of a secure, deployable and transparent middleware for internet of things. In: Proceedings of the Iberian Conference on Information Systems & Technologies (CISTI) (2014)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the ACM Conference on Computer and Communications Security (2012)
Gibbons, K., Raw, J.O.: Security evaluation of the OAuth 2.0 framework. Inf. Manage. Comput. Secur. 22(3), 1–8 (2014)
Hammer, E.: OAuth 2.0 (without signatures) is bad for the web (2010). http://hueniverse.com/2010/09/15/oauth-2-0-without-signatures-is-bad-for-the-web/
Hammer, E.: OAuth 2.0 and the road to hell (2012). http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/
Hammer-Lahav, E.: The OAuth 1.0 protocol. RFC 5849, RFC Editor, April 2010. http://tools.ietf.org/html/rfc5849
Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, RFC Editor, October 2012. http://tools.ietf.org/html/rfc6749
Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Operating Syst. Rev. 22(4), 36–38 (1988)
Hhnlein, D., Wich, T., Schmlz, J., Haase, H.M.: The evolution of identity management using the example of web-based applications. Inf. Technol. 56(3), 134–140 (2014)
Homakov, E.: OAuth1, OAuth2, OAuth...? (2013). http://homakov.blogspot.jp/2013/03/oauth1-oauth2-oauth.html
IFTTT Inc.: If this then that (2014). https://ifttt.com/
INK361: Instagram web viewer - ink361 (2014). http://ink361.com/
Instagram: Authentication (2014). http://instagram.com/developer/authentication/
Jones, M., Hardt, D.: The OAuth 2.0 authorization framework: bearer token usage. RFC 6750, RFC Editor, October 2012. http://tools.ietf.org/html/rfc6750
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the International Conference on Security and Privacy in Communication Networks (Securecomm) (2006)
Käfer, K.: Cross site request forgery (2008). http://dump.kkaefer.com/csrf-paper.pdf
Kaur, G., Aggarwal, D.: A survey paper on social sign-on protocol OAuth 2.0. J. Eng. Comput. Appl. Sci. 2(6), 93–96 (2013)
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Heidelberg (2014)
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor, January 2013. http://tools.ietf.org/html/rfc6819
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)
Microsoft: liveconnect-client.js (2014). https://github.com/OneNoteDev/OneNoteAPISampleNodejs/blob/master/lib/liveconnect-client.js
Nauman, M., Khan, S., Othman, A.T., Musa, S.U., Rehman, N.U.: POAuth: privacy-aware open authorization for native apps on smartphone platforms. In: Proceedings of the International Conference on Ubiquitous Information Management and Communication (2012)
Patterson, P.: Digging deeper into OAuth 2.0 on force.com (2014). https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com
Python Software Foundation: urllib2 (2015). https://docs.python.org/2/library/urllib2.html
Richardson, L.: Beautiful soup (2014). http://www.crummy.com/software/BeautifulSoup/
Scrapinghub: Scrapy (2015). http://scrapy.org/
Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking saml: be whoever you want to be. In: Proceedings of the USENIX Security Symposium (2012)
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the ACM Conference on Computer and Communications Security (2012)
Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: Investigating users’ perspectives of web single sign-on: conceptual gaps and acceptance model. ACM Trans. Internet Technol. 13(1), 2:1–2:35 (2013)
The crawler4j community: crawler4j (2015). https://code.google.com/p/crawler4j/
The OpenID Foundation: OpenID (2015). http://openid.net/
Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N.: Third-Party identity management usage on the web. In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 151–162. Springer, Heidelberg (2014)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)
Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKs: uncovering assumptions underlying secure authentication and authorization. In: Proceedings of the USENIX Security Symposium (2013)
Xing, L., Chen, Y., Wang, X., Chen, S.: Integuard: toward automatic protection of third-party web service integrations. In: Proceedings of the Network and Distributed System Security Symposium (2013)
Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM) (2013)
Yue, C.: The devil is phishing: rethinking web single sign-on systems security. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)
Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and prevention. Princeton University, Tech. rep. (2008)
Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: Proceedings of the USENIX Security Symposium (2014)
Acknowledgements
This work is based upon work supported by the U.S. National Science Foundation under grant numbers CNS-1118046, CNS-1245198, and CNS-1464087.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K. (2015). More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-20550-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20549-6
Online ISBN: 978-3-319-20550-2
eBook Packages: Computer ScienceComputer Science (R0)