Discovering Concrete Attacks on Website Authorization by Formal Analysis

Author

Bansal, Cheenu ; Bhargavan, Karthikeyan ; Maffeis, S.

fYear

2012

fDate

25-27 June 2012

Firstpage

247

Lastpage

262

Abstract

Social sign-on and social sharing are becoming an ever more popular feature of web applications. This success is largely due to the APIs and support offered by prominent social networks, such as Facebook, Twitter, and Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol. A formal analysis of these protocols must account for malicious websites and common web application vulnerabilities, such as cross-site request forgery and open redirectors. We model several configurations of the OAuth 2.0 protocol in the applied pi-calculus and verify them using ProVerif. Our models rely on WebSpi, a new library for modeling web applications and web-based attackers that is designed to help discover concrete website attacks. Our approach is validated by finding dozens of previously unknown vulnerabilities in popular websites such as Yahoo and Word Press, when they connect to social networks such as Twitter and Facebook.

Keywords

application program interfaces; cryptographic protocols; social networking (online); API; Facebook; Goog; OAuth 2.0 authorization protocol; ProVerif; Twitter; Web-based attackers; WebSpi; Website authorization; Word Press; Yahoo; concrete attacks; formal analysis; malicious Websites; pi-calculus; social networks; social sharing; social sign-on; Authorization; Browsers; Facebook; Protocols; Servers; Attacks; Authentication; Authorization; Formal Analysis; Security Protocols; Web Application Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Foundations Symposium (CSF), 2012 IEEE 25th

Conference_Location

Cambridge, MA

ISSN

1940-1434

Print_ISBN

978-1-4673-1918-8

Electronic_ISBN

1940-1434

Type

conf

DOI

10.1109/CSF.2012.27

Filename

6266164