面向OAuth2.0授权服务API的账号劫持攻击威胁检测

doi:10.11959/j.issn.1000-436x.2019144

Abstract

Abstract:

OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites,360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools,OScan has significant advantages in covering the number of identity provider,the number of detected relying party,as well as the integrity of risk detection.

Key words: OAuth2.0 protocol, application programming interface, account hijacking, the third-party application

CLC Number:

TP309.5

LIU Qixu,QIU Kaili,WANG Yiwen,CHEN Yanhui,CHEN Langping,LIU Chaoge. Account hijacking threat attack detection for OAuth2.0 authorization API[J]. Journal on Communications, 2019, 40(6): 40-50.

Figures/Tables 11

References 27

[1]	ZUO C , ZHAO Q , LIN Z . Authscope:towards automatic discovery of vulnerable authorizations in online services[C]// The 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017: 53-68.
[2]	HARDT D . The OAuth 2.0 authorization framework[Z]. RFC6749, 2012.
[3]	BANSAL C , BHARGAVAN K , DELIGNAT-LAVAUD A ,et al. Discovering concrete attacks on website authorization by formal analysis[J]. Journal of Computer Security, 2014,22(4): 601-657.
[4]	FETT D , KUSTERS R , SCHMITZ G.A . comprehensive formal security analysis of OAuth 2.0[C]// The 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 1204-1215.
[5]	FERRY E , O RAW J , CURRAN K . Security evaluation of the OAuth 2.0 framework[J]. Information ＆ Computer Security, 2015,23(1): 73-101.
[6]	魏成坤, 刘向东, 石兆军 . 基于 OAuth2.0 的认证授权技术研究[J]. 信息网络安全, 2016(9): 6-11.
	WEI C K , LIU X D , SHI Z J . Optimization method for OAuth2.0 protocol[J]. Netinfo Security, 2016(9): 6-11.
[7]	魏成坤, 刘向东, 石兆军 . 基于OAuth2.0协议的安全性形式化分析[J]. 计算机工程与设计, 2016,37(7): 1746-1751.
	WEI C K , LIU X D , SHI Z J . Security formal verification of OAuth2.0 protocol[J]. Computer Engineering and Design, 2016,37(7): 1746-1751.
[8]	王焕孝, 顾纯祥, 郑永辉 . 开放授权协议OAuth2.0的安全性形式化分析[J]. 信息工程大学学报, 2014,15(2): 141-147.
	WANG H X , GU C X , ZHENG Y H . Formal security analysis of OAuth2.0 authorization protocol[J]. Journal of Information Engineering University, 2014,15(2): 141-147.
[9]	郭丞乾, 蔡权伟, 林璟锵 ,等. 单点登录协议实现的安全分析[J]. 信息安全研究, 2019,5(1): 59-67.
	GUO C Q , CAI Q W , LIN J J ,et al. Security analysis on the implementations of single-sign-on protocols[J]. Journal of Information Security Research, 2019,5(1): 59-67.
[10]	CHARI S , JUTLA C S , ROY A . Universally composable security analysis of OAuth v2.0[J].,2011:526. IACR Cryptology ePrint Archive, 2011,:526.
[11]	WANG R , ZHOU Y , CHEN S ,et al. Explicating SDKs:uncovering assumptions underlying secure authentication and authorization[C]// The 22nd USENIX Conference on Security. USENIX Association, 2013: 399-314.
[12]	YANG R , LAU W C , CHEN J ,et al. Vetting single sign-on implementations via symbolic reasoning[C]// The 27th USENIX Security Symposium (USENIX Security 18). USENIX, 2018: 1459-1474.
[13]	SHERNAN E , CARTER H , TIAN D ,et al. International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment0 implementations[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment. 2015: 239-260.
[14]	LI W , MITCHELL C J . Security issues in OAuth 2.0 SSO implementations[C]// International Conference on Information Security. 2014: 529-541.
[15]	王丹磊, 李长军, 赵磊 ,等. OAuth2.0协议在Web部署中的安全性分析与威胁防范[J]. 武汉大学学报(理学版), 2016,62(5): 411-417.
	WANG D L , LI C J , ZHAO L ,et al. Security analysis and vulnerability management of OAuth 2.0 on Web deployment[J]. Journal of Whhan University (Natural Science Edition), 2016,62(5): 411-417.
[16]	QIU K , LIU Q , LIU J ,et al. An empirical study of OAuth-based SSO system on Web[C]// International Conference on Wireless Algorithms,Systems,and Applications. 2018: 400-411.
[17]	MAINKA C , MLADENOV V , SCHWENK J . Do not trust me:using malicious IdPs for analyzing and attacking single sign-on[C]// 2016 IEEE European Symposium on Security and Privacy (EuroS＆P). IEEE, 2016: 321-336.
[18]	GHASEMISHARIF M , RAMESH A , CHECKOWAY S ,et al. O single sign-off,where art thou? An empirical analysis of single sign-on account hijacking and session management on the web[C]// The 27th USENIX Security Symposium (USENIX Security 18). USENIX, 2018: 1475-1492.
[19]	HU P , YANG R , LI Y ,et al. Application impersonation:problems of OAuth and API design in online social networks[C]// The Second ACM Conference on Online Social Networks. ACM, 2014: 271-278.
[20]	WU B , NGUYEN T , HUSAIN M . Implementation vulnerability associated with OAuth 2.0—a case study on Dropbox[C]// The 12th International Conference on Information Technology-New Generations. 2015: 135-138.
[21]	ZHOU Y , EVANS D . SSOScan:automated testing of web applications for single sign-on vulnerabilities[C]// The 23rd USENIX Security Symposium (USENIX Security 14). USE NIX, 2014: 495-510.
[22]	BAI G , LEI J , MENG G ,et al. AUTHSCAN:automatic extraction of web authentication protocols from implementations[C]// NDSS. 2013.
[23]	YANG R , LI G , LAU W C ,et al. Model-based security testing:an empirical study on OAuth 2.0 implementations[C]//The 11th ACM on Asia Conference on Computer and Communications Security. ACM, 2016: 651-662.
[24]	LODDERSTEDT T , MCGLOIN M , HUNT P . OAuth 2.0 threat model and security considerations[J]. RFC 6819, 2013.
[25]	杜雷, 辛阳 . 基于规则库和网络爬虫的漏洞检测技术研究与实现[J]. 信息网络安全, 2014(10): 38-43.
	DU L , XIN Y . Research and implementation of web vulnerability detection technology based on rule base and web crawler[J]. Netinfo Security, 2014(10): 38-43.
[26]	陈君, 张生 . 基于OAuth单点登录系统的安全性分析与评估[J]. 电子科技, 2017,30(9): 165-168.
	CHEN J , ZHANG S . Security evaluations and countermeasures of single sign-on systems based on OAuth protocol[J]. Electronic Science and Technology, 2017,30(9): 165-168.
[27]	张天琪 . OAuth协议安全性研究[J]. 信息网络安全, 2013(3): 68-70.
	ZHANG T Q . Study on OAuth protocol security[J]. Netinfo Security, 2013(3): 68-70.

Metrics

Recommended 0

No Suggested Reading articles found!

研究方向	研究进展	研究团队	存在问题
	使用形式化描述攻击，提取模型进行检测	BITS Pilani-Goa
OAuth2.0协议的安全性	建立Web模型，形式化分析OAuth协议安全性	德国特里尔大学	未对真实部署的安全性进行研究，仅理论层面进行分析
	使用加密证明方法，分析OAuth协议的安全性	IBM T.J.Watson研究中心
OAuth2.0 SDK安全性	使用语义模型，识别SDK中的缺陷	微软雷德蒙德研究院	未覆盖所有的SDK，工具不易扩展
	利用动态符号执行实现SK3Vetter，发现逻辑漏洞	香港中文大学
	检查state参数来发现CSRF攻击	佐治亚理工学院、武汉大学
OAuth协议部署安全性	引入恶意IdP，发现4种攻击方式	波鸿鲁尔大学	手工分析的方法，无法大规模分析
	嗅探IdP账号cookie，进行账号劫持攻击	伊利诺伊大学芝加哥分校
	发现隐式流程下的APP中间人攻击	香港中文大学
	解析视图中UI元素，自动化识别访问控制漏洞AuthScope	德克萨斯大学达拉斯分校
OAuth漏洞自动化检测	实现了自动化GUI测试检测Facebook API的工具SSOScan	弗吉尼亚大学	针对于移动应用平台，覆盖的IdP较少
	利用静态程序分析与动态行为探测，实现AuthScan	新加坡国立大学
	结合协议规范与网络追踪，实现自适应模型框架OAuthTester	香港中文大学

IdP	API调用/个	脆弱性调用/个	占比
Facebook	1 372	132	9.62%
谷歌	1 012	0	0
推特(*)	306	0	0
腾讯QQ	224	6	2.68%
新浪微博	208	117	56.25%
微信	183	27	14.75%
VK	159	46	28.93%
微软	69	4	5.80%
领英	56	0	0
Mail.Ru	44	19	43.18%
领英(*)	44	0	0
GitHub	32	4	12.50%
Yandex	28	0	0
雅虎	22	3	13.64%
Instagram	13	0	0
亚马逊	10	0	0
Twitch	7	0	0
百度	4	2	50.00%
Foursquare	3	0	0
Tumblr(*)	2	0	0
Battle.net	2	0	0
Autodesk(*)	1	0	0
Dropbox	1	0	0
ALO	1	0	0
Reddit	1	0	0
印象笔记(*)	1	0	0

IdP	脆弱性调用/个	攻击成功数量/个	占比
Facebook	132	20	15.15%
新浪微博	117	46	39.32%
VK	46	16	34.78%
微信	27	17	62.96%
Mail.Ru	19	0	0
腾讯QQ	6	1	16.67%
微软	4	1	25.00%
Github	4	0	0
雅虎	3	0	0
百度	2	0	0
总和	360	101	28.05%

工具	输入	IdP数量/个	RP数量/个	可检测漏洞类型	脆弱点数量/个	完整攻击风险数量/个	可否扩展
SK3Vetter^[12]	SDK	10	无	逻辑错误	7	—	否
AuthScope^[1]	Android APP	1	4 838	信息泄露	306	—	否
SSOScan^[21]	网站、网络流量	1	10 000	信息泄露	202	—	否
OAuthTester^[12]	OAuth2.0协议、网络流量	4	500	CSRF攻击	223	—	是
OScan	目标网站首页	26	10 000	账号劫持攻击	360	80	是

Account hijacking threat attack detection for OAuth2.0 authorization API

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 27

Related Articles 4

Metrics

Recommended 0

[1]	Wenjuan WANG, Xuehui DU, Dibin SHAN. Construction method of attack scenario in cloud environment based on dynamic probabilistic attack graph [J]. Journal on Communications, 2021, 42(1): 1-17.
[2]	Yuan YAO,Chuanxing PAN,Zheng ZHANG,Gaofei ZHANG. Method of quantitative assessment for diversified software system [J]. Journal on Communications, 2020, 41(3): 120-125.
[3]	Junfeng TIAN, Zilong WANG, Xinfeng HE, Zhen LI. Shamir-based virtual machine placement policy [J]. Journal on Communications, 2019, 40(10): 90-100.
[4]	Di WU,Binxing FANG,Xiang CUI,Qixu LIU. BotCatcher:botnet detection system based on deep learning [J]. Journal on Communications, 2018, 39(8): 18-28.