Skip to main content
SpringerLink
Log in

More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations

  • Conference paper
  • First Online:
Book cover Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9148))

Abstract

OAuth 2.0 provides an open framework for the authorization of users across the web. While the standard enumerates mandatory security protections for a variety of attacks, many embodiments of this standard allow these protections to be optionally implemented. In this paper, we analyze the extent to which one particularly dangerous vulnerability, Cross Site Request Forgery, exists in real-world deployments. We crawl the Alexa Top 10,000 domains, and conservatively identify that 25 % of websites using OAuth appear vulnerable to CSRF attacks. We then perform an in-depth analysis of four high-profile case studies, which reveal not only weaknesses in sample code provided in SDKs, but also inconsistent implementation of protections among services provided by the same company. From these data points, we argue that protection against known and sometimes subtle security vulnerabilities can not simply be thrust upon developers as an option, but instead must be strongly enforced by Identity Providers before allowing web applications to connect.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alexa Internet, Inc.: Alexa top sites (2014). http://www.alexa.com/

  2. Alur, D., Crupi, J., Malks, D.: Core j2ee patterns: best practices and design strategies (2001). http://www.corej2eepatterns.com/Design/PresoDesign.htm

  3. AOL Inc.: Php sample (2014). http://identity.aol.com/documentation/start/oauth2/web-site-integration/php-sample/

  4. Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: Authscan: automatic extraction of web authentication protocols from implementations. In: Proceedings of the Network and Distributed System Security Symposium (2013)

    Google Scholar 

  5. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: Proceedings of the IEEE Computer Security Foundations Symposium (2012)

    Google Scholar 

  6. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the ACM Conference on Computer and Communications Security (2008)

    Google Scholar 

  7. Blizzard Entertainment, Inc.: Using OAuth (2014). https://dev.battle.net/docs/read/oauth

  8. Cao, Y., Shoshitaishvili, Y., Borgolte, K., Kruegel, C., Vigna, G., Chen, Y.: Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 276–298. Springer, Heidelberg (2014)

    Google Scholar 

  9. Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011/526 (2011). http://eprint.iacr.org/

  10. Chen, E., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the ACM Conference on Computer and Communications Security (2014)

    Google Scholar 

  11. Cherrueau, R.-A., Douence, R., Royer, J.C., Südholt, M., de Oliveira, A.S., Roudier, Y., Dell’Amico, M.: Reference monitors for security and interoperability in OAuth 2.0. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W.M. (eds.) DPM 2013. LNCS, vol. 8247, pp. 236–249. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  12. Ferreira, H.G.C., de Sousa Junior, R.T., de Deus, F.E.G., Canedo, E.D.: Proposal of a secure, deployable and transparent middleware for internet of things. In: Proceedings of the Iberian Conference on Information Systems & Technologies (CISTI) (2014)

    Google Scholar 

  13. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  14. Gibbons, K., Raw, J.O.: Security evaluation of the OAuth 2.0 framework. Inf. Manage. Comput. Secur. 22(3), 1–8 (2014)

    Google Scholar 

  15. Hammer, E.: OAuth 2.0 (without signatures) is bad for the web (2010). http://hueniverse.com/2010/09/15/oauth-2-0-without-signatures-is-bad-for-the-web/

  16. Hammer, E.: OAuth 2.0 and the road to hell (2012). http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/

  17. Hammer-Lahav, E.: The OAuth 1.0 protocol. RFC 5849, RFC Editor, April 2010. http://tools.ietf.org/html/rfc5849

  18. Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, RFC Editor, October 2012. http://tools.ietf.org/html/rfc6749

  19. Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Operating Syst. Rev. 22(4), 36–38 (1988)

    Article  Google Scholar 

  20. Hhnlein, D., Wich, T., Schmlz, J., Haase, H.M.: The evolution of identity management using the example of web-based applications. Inf. Technol. 56(3), 134–140 (2014)

    Google Scholar 

  21. Homakov, E.: OAuth1, OAuth2, OAuth...? (2013). http://homakov.blogspot.jp/2013/03/oauth1-oauth2-oauth.html

  22. IFTTT Inc.: If this then that (2014). https://ifttt.com/

  23. INK361: Instagram web viewer - ink361 (2014). http://ink361.com/

  24. Instagram: Authentication (2014). http://instagram.com/developer/authentication/

  25. Jones, M., Hardt, D.: The OAuth 2.0 authorization framework: bearer token usage. RFC 6750, RFC Editor, October 2012. http://tools.ietf.org/html/rfc6750

  26. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the International Conference on Security and Privacy in Communication Networks (Securecomm) (2006)

    Google Scholar 

  27. Käfer, K.: Cross site request forgery (2008). http://dump.kkaefer.com/csrf-paper.pdf

  28. Kaur, G., Aggarwal, D.: A survey paper on social sign-on protocol OAuth 2.0. J. Eng. Comput. Appl. Sci. 2(6), 93–96 (2013)

    Google Scholar 

  29. Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Heidelberg (2014)

    Google Scholar 

  30. Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor, January 2013. http://tools.ietf.org/html/rfc6819

  31. Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  32. Microsoft: liveconnect-client.js (2014). https://github.com/OneNoteDev/OneNoteAPISampleNodejs/blob/master/lib/liveconnect-client.js

  33. Nauman, M., Khan, S., Othman, A.T., Musa, S.U., Rehman, N.U.: POAuth: privacy-aware open authorization for native apps on smartphone platforms. In: Proceedings of the International Conference on Ubiquitous Information Management and Communication (2012)

    Google Scholar 

  34. Patterson, P.: Digging deeper into OAuth 2.0 on force.com (2014). https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com

  35. Python Software Foundation: urllib2 (2015). https://docs.python.org/2/library/urllib2.html

  36. Richardson, L.: Beautiful soup (2014). http://www.crummy.com/software/BeautifulSoup/

  37. Scrapinghub: Scrapy (2015). http://scrapy.org/

  38. Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking saml: be whoever you want to be. In: Proceedings of the USENIX Security Symposium (2012)

    Google Scholar 

  39. Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  40. Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: Investigating users’ perspectives of web single sign-on: conceptual gaps and acceptance model. ACM Trans. Internet Technol. 13(1), 2:1–2:35 (2013)

    Article  Google Scholar 

  41. The crawler4j community: crawler4j (2015). https://code.google.com/p/crawler4j/

  42. The OpenID Foundation: OpenID (2015). http://openid.net/

  43. Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N.: Third-Party identity management usage on the web. In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 151–162. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  44. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  45. Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKs: uncovering assumptions underlying secure authentication and authorization. In: Proceedings of the USENIX Security Symposium (2013)

    Google Scholar 

  46. Xing, L., Chen, Y., Wang, X., Chen, S.: Integuard: toward automatic protection of third-party web service integrations. In: Proceedings of the Network and Distributed System Security Symposium (2013)

    Google Scholar 

  47. Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM) (2013)

    Google Scholar 

  48. Yue, C.: The devil is phishing: rethinking web single sign-on systems security. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)

    Google Scholar 

  49. Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and prevention. Princeton University, Tech. rep. (2008)

    Google Scholar 

  50. Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: Proceedings of the USENIX Security Symposium (2014)

    Google Scholar 

Download references

Acknowledgements

This work is based upon work supported by the U.S. National Science Foundation under grant numbers CNS-1118046, CNS-1245198, and CNS-1464087.

Author information

Authors and Affiliations

  1. Georgia Institute of Technology, Atlanta, USA

    Ethan Shernan & Henry Carter

  2. University of Florida, Gainesville, USA

    Dave Tian, Patrick Traynor & Kevin Butler

Authors
  1. Ethan Shernan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Henry Carter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dave Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Patrick Traynor
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Kevin Butler
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Henry Carter .

Editor information

Editors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

  2. Chalmers University of Technology, Gothenburg, Sweden

    Vincenzo Gulisano

  3. Politecnico di Milano, Milan, Italy

    Federico Maggi

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K. (2015). More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-20550-2_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-20549-6

  • Online ISBN: 978-3-319-20550-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation