Skip to main content
SpringerLink
Log in

The Full Gamut of an Attack: An Empirical Analysis of OAuth CSRF in the Wild

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12756))

Abstract

OAuth 2.0 is a popular and industry-standard protocol. To date, different attack classes and relevant countermeasures have been proposed. However, despite the presence of guidelines and best practices, the current implementations are still vulnerable and error-prone. In this research, we focus on OAuth Cross-Site Request Forgery (OCSRF) as an overlooked attack scenario.

We studied one of the most recurrent types of OCSRF attacks by proposing several novel attack strategies based on different status of the victim browser. In order to validate them, we designed a repeatable methodology and conducted a large-scale analysis on 314 high-ranked sites to assess the prevalence of OCSRF vulnerabilities. Our automated crawler discovered about 36% of targeted sites are still vulnerable and detected about 20% more well-hidden vulnerable sites utilizing the novel attack strategies. Although our experiment revealed a significant increase in the number of OCSRF protection compared to the past scale analyses, over one-fourth are still vulnerable to at least one proposed attack strategy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bai, G., et al.: Authscan: automatic extraction of web authentication protocols from implementations. In: NDSS (2013)

    Google Scholar 

  2. Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis 1. J. Comput. Secur. 22(4), 601–657 (2014)

    Article  Google Scholar 

  3. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88 (2008)

    Google Scholar 

  4. Calzavara, S., Focardi, R., Maffei, M., Schneidewind, C., Squarcina, M., Tempesta, M.: \(\{\)WPSE\(\}\): fortifying web protocols via browser-side security monitoring. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2018), pp. 1493–1510 (2018)

    Google Scholar 

  5. Farooqi, S., Zaffar, F., Leontiadis, N., Shafiq, Z.: Measuring and mitigating oauth access token abuse by collusion networks. In: Proceedings of the 2017 Internet Measurement Conference, pp. 355–368 (2017)

    Google Scholar 

  6. Fett, D., Küsters, R., Schmitz, G.: SPRESSO: a secure, privacy-respecting single sign-on system for the web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1358–1369. ACM (2015)

    Google Scholar 

  7. Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1204–1215. ACM (2016)

    Google Scholar 

  8. HackerOne: Hackerone bug bounty platform (2020). https://www.hackerone.com/

  9. Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, RFC Editor, October 2012. http://www.rfc-editor.org/rfc/rfc6749.txt. http://www.rfc-editor.org/rfc/rfc6749.txt

  10. Homakov, E.: The most common OAuth2 vulnerability. His Blog at (2012)

    Google Scholar 

  11. Kerschbaum, F.: Simple cross-site attack prevention. In: 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops-SecureComm 2007, pp. 464–472. IEEE (2007)

    Google Scholar 

  12. Li, F., et al.: You’ve got vulnerability: exploring effective vulnerability notifications. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2016), pp. 1033–1050 (2016)

    Google Scholar 

  13. Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_34

    Chapter  Google Scholar 

  14. Li, W., Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 and OpenID connect. arXiv preprint arXiv:1801.07983 (2018)

  15. Li, W., Mitchell, C.J., Chen, T.: Oauthguard: protecting user security and privacy with OAuth 2.0 and OpenID connect. In: Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop, pp. 35–44 (2019)

    Google Scholar 

  16. Lodderstedt, T., Bradley, L.F.: draft-ietf-oauth-security-topics-15 (2020). https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15

  17. Mirheidari, S.A., Arshad, S., Onarlioglu, K., Crispo, B., Kirda, E., Robertson, W.: Cached and confused: web cache deception in the wild. In: 29th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2020), pp. 665–682 (2020)

    Google Scholar 

  18. Mladenov, V., Mainka, C., Schwenk, J.: On the security of modern single sign-on protocols: second-order vulnerabilities in openid connect. arXiv preprint arXiv:1508.04324 (2015)

  19. OAuth.net: User authentication with OAuth 2.0 (2020). https://oauth.net/articles/authentication/. Accessed 30 July 2020

  20. Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: 2011 International Conference on Communication Systems and Network Technologies, pp. 655–659. IEEE (2011)

    Google Scholar 

  21. Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_13

    Chapter  Google Scholar 

  22. Stock, B., Pellegrino, G., Rossow, C., Johns, M., Backes, M.: Hey, you have a problem: on the feasibility of large-scale web vulnerability notification. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2016), pp. 1015–1032 (2016)

    Google Scholar 

  23. Sudhodanan, A., Carbone, R., Compagna, L., Dolgin, N., Armando, A., Morelli, U.: Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 350–365. IEEE (2017)

    Google Scholar 

  24. Sumongkayothin, K., Rachtrachoo, P., Yupuech, A., Siriporn, K.: OVERSCAN: OAuth 2.0 scanner for missing parameters. In: Liu, J.K., Huang, X. (eds.) NSS 2019. LNCS, vol. 11928, pp. 221–233. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36938-5_13

    Chapter  Google Scholar 

  25. Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390 (2012)

    Google Scholar 

  26. Lodderstedt, T.: OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor, January 2013. https://www.rfc-editor.org/rfc/rfc6819.txt. https://www.rfc-editor.org/rfc/rfc6819.txt

  27. Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger: dynamics of web search cloaking. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 477–490 (2011)

    Google Scholar 

  28. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: 2012 IEEE Symposium on Security and Privacy, pp. 365–379. IEEE (2012)

    Google Scholar 

  29. Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKS: uncovering assumptions underlying secure authentication and authorization. In: 22nd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2013), pp. 399–314 (2013)

    Google Scholar 

  30. Yang, R., Li, G., Lau, W.C., Zhang, K., Hu, P.: Model-based security testing: an empirical study on OAuth 2.0 implementations. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 651–662 (2016)

    Google Scholar 

  31. Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2014), pp. 495–510 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Trento, Trento, Italy

    Michele Benolli, Seyed Ali Mirheidari, Elham Arshad & Bruno Crispo

Authors
  1. Michele Benolli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seyed Ali Mirheidari
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elham Arshad
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bruno Crispo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elham Arshad .

Editor information

Editors and Affiliations

  1. NortonLifeLock Research Group, Biot, France

    Leyla Bilge

  2. King's College London, London, UK

    Lorenzo Cavallaro

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Lisbon, Lisbon, Portugal

    Nuno Neves

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Benolli, M., Mirheidari, S.A., Arshad, E., Crispo, B. (2021). The Full Gamut of an Attack: An Empirical Analysis of OAuth CSRF in the Wild. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation