Abstract
The websites are developed rapidly and wildly used by people around the world. The main reason is the increase of the immense number of internet users, which results in the security control of accessing sensitive information is necessary. The authorization server as the one security aspect which controls the access permission to the system. Many authentication protocols were proposed to meet these functional requirements. The open-standard authorization (OAuth) protocol is one of the well-known solutions widely used. However, many developers still misuse this protocol, which can cause security breaches. This paper proposes a tool named OVERSCAN, which is an OAuth2.0 scanner for misused or missing parameters. The experiments of using OVERSCAN have been conducted over 45 samples supporting OAuth2.0 protocol. The results show that 84.4% of samples lack significant parameters which can cause security problems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Argyriou, M., Dragoni, N., Spognardi, A.: Security flows in OAuth 2.0 framework: a case study. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 396–406. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66284-8_33
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols, vol. 2000, pp. 136–145, November 2001. https://doi.org/10.1109/SFCS.2001.959888
Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive, vol. 2011, p. 526, January 2011
Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 892–903. ACM, New York (2014). https://doi.org/10.1145/2660267.2660323http://doi.acm.org/10.1145/2660267.2660323
Corella, F., Lewison, K.P.: Security analysis of double redirection protocols (2011)
Ferry, E., O’Raw, J., Curran, K.: Security evaluation of the OAuth 2.0 framework. Inf. Comput. Secur. 23, 73–101 (2015). https://doi.org/10.1108/ICS-12-2013-0089
Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, RFC Editor, October 2012. http://www.rfc-editor.org/rfc/rfc6749.txt
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_34
Li, W., Mitchell, C.J., Chen, T.: OAuthguard: protecting user security and privacy with OAuth 2.0 and OpenID connect. arXiv abs/1901.08960 (2019)
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor, January 2013
Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 security best current practice. Internet-Draft draft-ietf-oauth-security-topics-09, IETF Secretariat, November 2018. http://www.ietf.org/internet-drafts/draft-ietf-oauth-security-topics-09.txt
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: 2011 International Conference on Communication Systems and Network Technologies, pp. 655–659, June 2011. https://doi.org/10.1109/CSNT.2011.141
Richer, J., Sanso, A.: OAuth 2 in Action. Manning Publications, New York (2017)
Torlak, E., van Dijk, M., Gassend, B., Jackson, D., Devadas, S.: Knowledge flow analysis for security protocols. CoRR abs/cs/0605109 (2006). http://arxiv.org/abs/cs/0605109
Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM), pp. 271–276, August 2013. https://doi.org/10.1109/PACRIM.2013.6625487
Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities, August 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Sumongkayothin, K., Rachtrachoo, P., Yupuech, A., Siriporn, K. (2019). OVERSCAN: OAuth 2.0 Scanner for Missing Parameters. In: Liu, J., Huang, X. (eds) Network and System Security. NSS 2019. Lecture Notes in Computer Science(), vol 11928. Springer, Cham. https://doi.org/10.1007/978-3-030-36938-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-36938-5_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36937-8
Online ISBN: 978-3-030-36938-5
eBook Packages: Computer ScienceComputer Science (R0)