Web-based attacks on host-proof encrypted storage
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Keys to the cloud: formal analysis and concrete attacks on encrypted web storage
POST'13 Proceedings of the Second international conference on Principles of Security and Trust
Lengths may break privacy: or how to check for equivalences with length
CAV'13 Proceedings of the 25th international conference on Computer Aided Verification
Explicating SDKs: uncovering assumptions underlying secure authentication and authorization
SEC'13 Proceedings of the 22nd USENIX conference on Security
Language-based defenses against untrusted browser origins
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Social sign-on and social sharing are becoming an ever more popular feature of web applications. This success is largely due to the APIs and support offered by prominent social networks, such as Facebook, Twitter, and Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol. A formal analysis of these protocols must account for malicious websites and common web application vulnerabilities, such as cross-site request forgery and open redirectors. We model several configurations of the OAuth 2.0 protocol in the applied pi-calculus and verify them using ProVerif. Our models rely on WebSpi, a new library for modeling web applications and web-based attackers that is designed to help discover concrete website attacks. Our approach is validated by finding dozens of previously unknown vulnerabilities in popular websites such as Yahoo and Word Press, when they connect to social networks such as Twitter and Facebook.