通信学报 ›› 2019, Vol. 40 ›› Issue (6): 40-50.doi: 10.11959/j.issn.1000-436x.2019144

• 专题:网络攻防与安全度量 • 上一篇    

面向OAuth2.0授权服务API的账号劫持攻击威胁检测

刘奇旭1,2,邱凯丽1,2,王乙文1,2,陈艳辉1,2,陈浪平1,2,刘潮歌1,2()   

  1. 1 中国科学院信息工程研究所,北京 100093
    2 中国科学院大学网络空间安全学院,北京 100049
  • 修回日期:2019-05-22 出版日期:2019-06-01 发布日期:2019-07-04
  • 作者简介:刘奇旭(1984- ),男,江苏徐州人,博士,中国科学院信息工程研究所副研究员,中国科学院大学副教授,主要研究方向为网络攻防技术、网络安全评测。|邱凯丽(1996- ),女,土家族,湖南张家界人,中国科学院大学硕士生,主要研究方向为网络攻防技术。|王乙文(1996- ),男,浙江湖州人,中国科学院大学硕士生,主要研究方向为网络攻防技术。|陈艳辉(1996- ),男,山东潍坊人,中国科学院大学博士生,主要研究方向为网络攻防技术。|陈浪平(1995- ),男,浙江绍兴人,中国科学院大学硕士生,主要研究方向为网络攻防技术。|刘潮歌(1986- ),男,吉林长春人,博士,中国科学院信息工程研究所助理研究员,中国科学院大学讲师,主要研究方向为网络攻击追踪溯源、Web安全和网络欺骗。
  • 基金资助:
    国家重点研发计划基金资助项目(2016YFB0801604);国家重点研发计划基金资助项目(2016QY08D1602);中国科学院网络测评技术重点实验室基金资助项目;网络安全防护技术北京市重点实验室基金资助项目

Account hijacking threat attack detection for OAuth2.0 authorization API

LIU Qixu1,2,QIU Kaili1,2,WANG Yiwen1,2,CHEN Yanhui1,2,CHEN Langping1,2,LIU Chaoge1,2()   

  1. 1 Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
    2 School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China
  • Revised:2019-05-22 Online:2019-06-01 Published:2019-07-04
  • Supported by:
    The National Key Research and Development Program of China(2016YFB0801604);The National Key Research and Development Program of China(2016QY08D1602);Key Laboratory of Network Assessment Technology at Chinese Academy of Sciences Program;Beijing Key Laboratory of Network Security and Protection Technology Program

摘要:

OAuth2.0授权协议在简化用户登录第三方应用的同时,也存在泄露用户隐私数据的风险,甚至引发用户账号被攻击劫持。通过分析 OAuth2.0 协议的脆弱点,构建了围绕授权码的账号劫持攻击模型,提出了基于差异流量分析的脆弱性应用程序编程接口(API)识别方法和基于授权认证网络流量监测的账号劫持攻击验证方法,设计并实现了面向OAuth2.0授权服务API的账号劫持攻击威胁检测框架OScan。通过对Alexa排名前10 000的网站中真实部署的3 853个授权服务API进行大规模测试,发现360个存在脆弱性的API。经过进一步验证,发现了80个网站存在账号劫持攻击威胁。相较类似工具,OScan在覆盖身份提供方(IdP)全面性、检测依赖方(RP)数量和威胁检测完整性等方面均具有明显的优势。

关键词: OAuth2.0协议, 应用程序编程接口, 账号劫持, 第三方应用

Abstract:

OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites,360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools,OScan has significant advantages in covering the number of identity provider,the number of detected relying party,as well as the integrity of risk detection.

Key words: OAuth2.0 protocol, application programming interface, account hijacking, the third-party application

中图分类号: 

  • TP309.5