面向OAuth2.0授权服务API的账号劫持攻击威胁检测

刘奇旭; 邱凯丽; 王乙文; 陈艳辉; 陈浪平; 刘潮歌

doi:10.11959/j.issn.1000-436x.2019144

您当前的位置：

首页 >

文章列表页 >

面向OAuth2.0授权服务API的账号劫持攻击威胁检测

专题：网络攻防与安全度量 | 更新时间：2024-06-05

- 面向OAuth2.0授权服务API的账号劫持攻击威胁检测
- Account hijacking threat attack detection for OAuth2.0 authorization API
- 通信学报 2019年40卷第6期页码：40-50
- 作者机构：
  
  1. 中国科学院信息工程研究所，北京 100093
  2. 中国科学院大学网络空间安全学院，北京 100049
- 作者简介：
  
  [ "刘奇旭（1984- ），男，江苏徐州人，博士，中国科学院信息工程研究所副研究员，中国科学院大学副教授，主要研究方向为网络攻防技术、网络安全评测。" ]
  [ "邱凯丽（1996- ），女，土家族，湖南张家界人，中国科学院大学硕士生，主要研究方向为网络攻防技术。" ]
  [ "王乙文（1996- ），男，浙江湖州人，中国科学院大学硕士生，主要研究方向为网络攻防技术。" ]
  [ "陈艳辉（1996- ），男，山东潍坊人，中国科学院大学博士生，主要研究方向为网络攻防技术。" ]
  [ "陈浪平（1995- ），男，浙江绍兴人，中国科学院大学硕士生，主要研究方向为网络攻防技术。" ]
  [ "刘潮歌（1986- ），男，吉林长春人，博士，中国科学院信息工程研究所助理研究员，中国科学院大学讲师，主要研究方向为网络攻击追踪溯源、Web安全和网络欺骗。" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2016YFB0801604);国家重点研发计划基金资助项目(2016QY08D1602);中国科学院网络测评技术重点实验室基金资助项目;网络安全防护技术北京市重点实验室基金资助项目
- DOI：10.11959/j.issn.1000-436x.2019144
  中图分类号： TP309.5
- 网络出版日期：2019-06，
  
  纸质出版日期：2019-06-25
- 稿件说明：
移动端阅览
刘奇旭, 邱凯丽, 王乙文, 等. 面向OAuth2.0授权服务API的账号劫持攻击威胁检测[J]. 通信学报, 2019,40(6):40-50.

Qixu LIU, Kaili QIU, Yiwen WANG, et al. Account hijacking threat attack detection for OAuth2.0 authorization API[J]. Journal on communications, 2019, 40(6): 40-50.
刘奇旭, 邱凯丽, 王乙文, 等. 面向OAuth2.0授权服务API的账号劫持攻击威胁检测[J]. 通信学报, 2019,40(6):40-50. DOI： 10.11959/j.issn.1000-436x.2019144.

Qixu LIU, Kaili QIU, Yiwen WANG, et al. Account hijacking threat attack detection for OAuth2.0 authorization API[J]. Journal on communications, 2019, 40(6): 40-50. DOI： 10.11959/j.issn.1000-436x.2019144.

摘要

OAuth2.0授权协议在简化用户登录第三方应用的同时，也存在泄露用户隐私数据的风险，甚至引发用户账号被攻击劫持。通过分析 OAuth2.0 协议的脆弱点，构建了围绕授权码的账号劫持攻击模型，提出了基于差异流量分析的脆弱性应用程序编程接口（API）识别方法和基于授权认证网络流量监测的账号劫持攻击验证方法，设计并实现了面向OAuth2.0授权服务API的账号劫持攻击威胁检测框架OScan。通过对Alexa排名前10 000的网站中真实部署的3 853个授权服务API进行大规模测试，发现360个存在脆弱性的API。经过进一步验证，发现了80个网站存在账号劫持攻击威胁。相较类似工具，OScan在覆盖身份提供方（IdP）全面性、检测依赖方（RP）数量和威胁检测完整性等方面均具有明显的优势。

Abstract

OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications

at the same time

existing risk of leaking user privacy data

what even worse

causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites

360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools

OScan has significant advantages in covering the number of identity provider

the number of detected relying party

as well as the integrity of risk detection.

关键词

Keywords

references

ZUO C , ZHAO Q , LIN Z . Authscope:towards automatic discovery of vulnerable authorizations in online services [C ] // The 2017 ACM SIGSAC Conference on Computer and Communications Security . 2017 : 53 - 68 .

HARDT D . The OAuth 2.0 authorization framework [Z ] . RFC6749 , 2012 .

BANSAL C , BHARGAVAN K , DELIGNAT-LAVAUD A , et al . Discovering concrete attacks on website authorization by formal analysis [J ] . Journal of Computer Security , 2014 , 22 ( 4 ): 601 - 657 .

FETT D , KUSTERS R , SCHMITZ G.A . comprehensive formal security analysis of OAuth 2.0 [C ] // The 2016 ACM SIGSAC Conference on Computer and Communications Security . 2016 : 1204 - 1215 .

FERRY E , O RAW J , CURRAN K . Security evaluation of the OAuth 2.0 framework [J ] . Information ＆ Computer Security , 2015 , 23 ( 1 ): 73 - 101 .

魏成坤 , 刘向东 , 石兆军 . 基于 OAuth2.0 的认证授权技术研究 [J ] . 信息网络安全 , 2016 ( 9 ): 6 - 11 .

WEI C K , LIU X D , SHI Z J . Optimization method for OAuth2.0 protocol [J ] . Netinfo Security , 2016 ( 9 ): 6 - 11 .

魏成坤 , 刘向东 , 石兆军 . 基于OAuth2.0协议的安全性形式化分析 [J ] . 计算机工程与设计 , 2016 , 37 ( 7 ): 1746 - 1751 .

WEI C K , LIU X D , SHI Z J . Security formal verification of OAuth2.0 protocol [J ] . Computer Engineering and Design , 2016 , 37 ( 7 ): 1746 - 1751 .

王焕孝 , 顾纯祥 , 郑永辉 . 开放授权协议OAuth2.0的安全性形式化分析 [J ] . 信息工程大学学报 , 2014 , 15 ( 2 ): 141 - 147 .

WANG H X , GU C X , ZHENG Y H . Formal security analysis of OAuth2.0 authorization protocol [J ] . Journal of Information Engineering University , 2014 , 15 ( 2 ): 141 - 147 .

郭丞乾 , 蔡权伟 , 林璟锵 , 等 . 单点登录协议实现的安全分析 [J ] . 信息安全研究 , 2019 , 5 ( 1 ): 59 - 67 .

GUO C Q , CAI Q W , LIN J J , et al . Security analysis on the implementations of single-sign-on protocols [J ] . Journal of Information Security Research , 2019 , 5 ( 1 ): 59 - 67 .

CHARI S , JUTLA C S , ROY A . Universally composable security analysis of OAuth v2.0 [J ] .,2011:526. IACR Cryptology ePrint Archive , 2011 ,:526.

WANG R , ZHOU Y , CHEN S , et al . Explicating SDKs:uncovering assumptions underlying secure authentication and authorization [C ] // The 22nd USENIX Conference on Security . USENIX Association , 2013 : 399 - 314 .

YANG R , LAU W C , CHEN J , et al . Vetting single sign-on implementations via symbolic reasoning [C ] // The 27th USENIX Security Symposium (USENIX Security 18) . USENIX , 2018 : 1459 - 1474 .

SHERNAN E , CARTER H , TIAN D , et al . International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment0 implementations [C ] // International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment . 2015 : 239 - 260 .

LI W , MITCHELL C J . Security issues in OAuth 2.0 SSO implementations [C ] // International Conference on Information Security . 2014 : 529 - 541 .

王丹磊 , 李长军 , 赵磊 , 等 . OAuth2.0协议在Web部署中的安全性分析与威胁防范 [J ] . 武汉大学学报(理学版) , 2016 , 62 ( 5 ): 411 - 417 .

WANG D L , LI C J , ZHAO L , et al . Security analysis and vulnerability management of OAuth 2.0 on Web deployment [J ] . Journal of Whhan University (Natural Science Edition) , 2016 , 62 ( 5 ): 411 - 417 .

QIU K , LIU Q , LIU J , et al . An empirical study of OAuth-based SSO system on Web [C ] // International Conference on Wireless Algorithms,Systems,and Applications . 2018 : 400 - 411 .

MAINKA C , MLADENOV V , SCHWENK J . Do not trust me:using malicious IdPs for analyzing and attacking single sign-on [C ] // 2016 IEEE European Symposium on Security and Privacy (EuroS＆P) . IEEE , 2016 : 321 - 336 .

GHASEMISHARIF M , RAMESH A , CHECKOWAY S , et al . O single sign-off,where art thou? An empirical analysis of single sign-on account hijacking and session management on the web [C ] // The 27th USENIX Security Symposium (USENIX Security 18) . USENIX , 2018 : 1475 - 1492 .

HU P , YANG R , LI Y , et al . Application impersonation:problems of OAuth and API design in online social networks [C ] // The Second ACM Conference on Online Social Networks . ACM , 2014 : 271 - 278 .

WU B , NGUYEN T , HUSAIN M . Implementation vulnerability associated with OAuth 2.0—a case study on Dropbox [C ] // The 12th International Conference on Information Technology-New Generations . 2015 : 135 - 138 .

ZHOU Y , EVANS D . SSOScan:automated testing of web applications for single sign-on vulnerabilities [C ] // The 23rd USENIX Security Symposium (USENIX Security 14) . USE NIX , 2014 : 495 - 510 .

BAI G , LEI J , MENG G , et al . AUTHSCAN:automatic extraction of web authentication protocols from implementations [C ] // NDSS . 2013 .

YANG R , LI G , LAU W C , et al . Model-based security testing:an empirical study on OAuth 2.0 implementations [C ] // The 11th ACM on Asia Conference on Computer and Communications Security . ACM , 2016 : 651 - 662 .

LODDERSTEDT T , MCGLOIN M , HUNT P . OAuth 2.0 threat model and security considerations [J ] . RFC 6819 , 2013 .

杜雷 , 辛阳 . 基于规则库和网络爬虫的漏洞检测技术研究与实现 [J ] . 信息网络安全 , 2014 ( 10 ): 38 - 43 .

DU L , XIN Y . Research and implementation of web vulnerability detection technology based on rule base and web crawler [J ] . Netinfo Security , 2014 ( 10 ): 38 - 43 .

陈君 , 张生 . 基于OAuth单点登录系统的安全性分析与评估 [J ] . 电子科技 , 2017 , 30 ( 9 ): 165 - 168 .

CHEN J , ZHANG S . Security evaluations and countermeasures of single sign-on systems based on OAuth protocol [J ] . Electronic Science and Technology , 2017 , 30 ( 9 ): 165 - 168 .

张天琪 . OAuth协议安全性研究 [J ] . 信息网络安全 , 2013 ( 3 ): 68 - 70 .

ZHANG T Q . Study on OAuth protocol security [J ] . Netinfo Security , 2013 ( 3 ): 68 - 70 .

浏览量

1730

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据