Abstract
OAuth 2.0 is a popular and industry-standard protocol. To date, different attack classes and relevant countermeasures have been proposed. However, despite the presence of guidelines and best practices, the current implementations are still vulnerable and error-prone. In this research, we focus on OAuth Cross-Site Request Forgery (OCSRF) as an overlooked attack scenario.
We studied one of the most recurrent types of OCSRF attacks by proposing several novel attack strategies based on different status of the victim browser. In order to validate them, we designed a repeatable methodology and conducted a large-scale analysis on 314 high-ranked sites to assess the prevalence of OCSRF vulnerabilities. Our automated crawler discovered about 36% of targeted sites are still vulnerable and detected about 20% more well-hidden vulnerable sites utilizing the novel attack strategies. Although our experiment revealed a significant increase in the number of OCSRF protection compared to the past scale analyses, over one-fourth are still vulnerable to at least one proposed attack strategy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bai, G., et al.: Authscan: automatic extraction of web authentication protocols from implementations. In: NDSS (2013)
Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis 1. J. Comput. Secur. 22(4), 601–657 (2014)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88 (2008)
Calzavara, S., Focardi, R., Maffei, M., Schneidewind, C., Squarcina, M., Tempesta, M.: \(\{\)WPSE\(\}\): fortifying web protocols via browser-side security monitoring. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2018), pp. 1493–1510 (2018)
Farooqi, S., Zaffar, F., Leontiadis, N., Shafiq, Z.: Measuring and mitigating oauth access token abuse by collusion networks. In: Proceedings of the 2017 Internet Measurement Conference, pp. 355–368 (2017)
Fett, D., Küsters, R., Schmitz, G.: SPRESSO: a secure, privacy-respecting single sign-on system for the web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1358–1369. ACM (2015)
Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1204–1215. ACM (2016)
HackerOne: Hackerone bug bounty platform (2020). https://www.hackerone.com/
Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, RFC Editor, October 2012. http://www.rfc-editor.org/rfc/rfc6749.txt. http://www.rfc-editor.org/rfc/rfc6749.txt
Homakov, E.: The most common OAuth2 vulnerability. His Blog at (2012)
Kerschbaum, F.: Simple cross-site attack prevention. In: 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops-SecureComm 2007, pp. 464–472. IEEE (2007)
Li, F., et al.: You’ve got vulnerability: exploring effective vulnerability notifications. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2016), pp. 1033–1050 (2016)
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_34
Li, W., Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 and OpenID connect. arXiv preprint arXiv:1801.07983 (2018)
Li, W., Mitchell, C.J., Chen, T.: Oauthguard: protecting user security and privacy with OAuth 2.0 and OpenID connect. In: Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop, pp. 35–44 (2019)
Lodderstedt, T., Bradley, L.F.: draft-ietf-oauth-security-topics-15 (2020). https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15
Mirheidari, S.A., Arshad, S., Onarlioglu, K., Crispo, B., Kirda, E., Robertson, W.: Cached and confused: web cache deception in the wild. In: 29th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2020), pp. 665–682 (2020)
Mladenov, V., Mainka, C., Schwenk, J.: On the security of modern single sign-on protocols: second-order vulnerabilities in openid connect. arXiv preprint arXiv:1508.04324 (2015)
OAuth.net: User authentication with OAuth 2.0 (2020). https://oauth.net/articles/authentication/. Accessed 30 July 2020
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: 2011 International Conference on Communication Systems and Network Technologies, pp. 655–659. IEEE (2011)
Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_13
Stock, B., Pellegrino, G., Rossow, C., Johns, M., Backes, M.: Hey, you have a problem: on the feasibility of large-scale web vulnerability notification. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2016), pp. 1015–1032 (2016)
Sudhodanan, A., Carbone, R., Compagna, L., Dolgin, N., Armando, A., Morelli, U.: Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 350–365. IEEE (2017)
Sumongkayothin, K., Rachtrachoo, P., Yupuech, A., Siriporn, K.: OVERSCAN: OAuth 2.0 scanner for missing parameters. In: Liu, J.K., Huang, X. (eds.) NSS 2019. LNCS, vol. 11928, pp. 221–233. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36938-5_13
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390 (2012)
Lodderstedt, T.: OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor, January 2013. https://www.rfc-editor.org/rfc/rfc6819.txt. https://www.rfc-editor.org/rfc/rfc6819.txt
Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger: dynamics of web search cloaking. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 477–490 (2011)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: 2012 IEEE Symposium on Security and Privacy, pp. 365–379. IEEE (2012)
Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKS: uncovering assumptions underlying secure authentication and authorization. In: 22nd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2013), pp. 399–314 (2013)
Yang, R., Li, G., Lau, W.C., Zhang, K., Hu, P.: Model-based security testing: an empirical study on OAuth 2.0 implementations. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 651–662 (2016)
Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2014), pp. 495–510 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Benolli, M., Mirheidari, S.A., Arshad, E., Crispo, B. (2021). The Full Gamut of an Attack: An Empirical Analysis of OAuth CSRF in the Wild. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-80825-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80824-2
Online ISBN: 978-3-030-80825-9
eBook Packages: Computer ScienceComputer Science (R0)