Mitigating CSRF attacks on OAuth 2.0 Systems

Wanpeng Li; Chris J Mitchell; Thomas Chen

doi:10.1109/PST.2018.8514180

2018 16th Annual Conference on Privacy, Security and Trust (PST)

Mitigating CSRF attacks on OAuth 2.0 Systems

Year: 2018, Pages: 1-5

DOI Bookmark: 10.1109/PST.2018.8514180

Authors

Wanpeng Li, School of Computing, Mathematics, Digital Technology Manchester Metropolitan University
Chris J Mitchell, Information Security Group Royal Holloway, University of London
Thomas Chen, Department of Electrical, Electronic Engineering City, University of London

Abstract

Many millions of users routinely use Google, Facebook and Microsoft to log in to websites supporting OAuth 2.0 and/or OpenID Connect. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance. Unfortunately, as previous studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new and practical technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.

Like what you’re reading?

Already a member?

Get this article FREE with a new membership!

Towards Enhancing the Security of OAuth Implementations in Smart Phones
2014 IEEE International Conference on Mobile Services (MS)
An Authorization Scheme Concealing Client's Access from Authentication Server
2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS)
Verification for OAuth Using ASLan++
2015 IEEE 16th International Symposium on High Assurance Systems Engineering (HASE)
SoK: Single Sign-On Security — An Evaluation of OpenID Connect
2017 IEEE European Symposium on Security and Privacy (EuroS&P)
Discovering Concrete Attacks on Website Authorization by Formal Analysis
2012 IEEE 25th Computer Security Foundations Symposium
OAuth-SSO: A Framework to Secure the OAuth-Based SSO Service for Packaged Web Applications
2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)
Revisiting OAuth 2.0 Compliance: A Two-Year Follow-Up Study
2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
Justin Richer on OAuth
IEEE Software
User Access Privacy in OAuth 2.0 and OpenID Connect
2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
Modular Security Analysis of OAuth 2.0 in the Three-Party Setting
2020 IEEE European Symposium on Security and Privacy (EuroS&P)

Mitigating CSRF attacks on OAuth 2.0 Systems

Authors

Abstract

Related Articles