Discovering Concrete Attacks on Website Authorization by Formal Analysis

Abstract : Social sign-on and social sharing are becoming an ever more popular feature of web applications. This success is largely due to the APIs and support offered by prominent social networks, such as Facebook, Twitter, and Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol. A formal analysis of these protocols must account for malicious websites and common web application vulnerabilities, such as cross-site request forgery and open redirectors. We model several configurations of the OAuth 2.0 protocol in the applied pi-calculus and verify them using ProVerif. Our models rely on WebSpi, a new library for modeling web applications and web-based attackers that is designed to help discover concrete website attacks. Our approach is validated by finding dozens of previously unknown vulnerabilities in popular websites such as Yahoo and WordPress, when they connect to social networks such as Twitter and Facebook.
Type de document :
Communication dans un congrès
25th IEEE Computer Security Foundations Symposium (CSF'12), 2012, Cambridge, MA, United States. pp.247--262, 2012
Liste complète des métadonnées

Littérature citée [28 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-00863385
Contributeur : Ben Smyth <>
Soumis le : mercredi 18 septembre 2013 - 17:37:47
Dernière modification le : vendredi 25 mai 2018 - 12:02:06
Document(s) archivé(s) le : vendredi 20 décembre 2013 - 15:02:11

Fichier

discovering_concrete_attacks_c...
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-00863385, version 1

Collections

Citation

Chetan Bansal, Karthikeyan Bhargavan, Sergio Maffeis. Discovering Concrete Attacks on Website Authorization by Formal Analysis. 25th IEEE Computer Security Foundations Symposium (CSF'12), 2012, Cambridge, MA, United States. pp.247--262, 2012. 〈hal-00863385〉

Partager

Métriques

Consultations de la notice

154

Téléchargements de fichiers

542