Discovering Concrete Attacks on Website Authorization by Formal Analysis

机译：通过形式分析发现对网站授权的具体攻击

获取原文

获取原文并翻译 | 示例

页面导航

摘要
著录项
引文网络
相似文献
相关主题

摘要

Social sign-on and social sharing are becoming an ever more popular feature of web applications. This success is largely due to the APIs and support offered by prominent social networks, such as Facebook, Twitter, and Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol. A formal analysis of these protocols must account for malicious websites and common web application vulnerabilities, such as cross-site request forgery and open redirectors. We model several configurations of the OAuth 2.0 protocol in the applied pi-calculus and verify them using ProVerif. Our models rely on WebSpi, a new library for modeling web applications and web-based attackers that is designed to help discover concrete website attacks. Our approach is validated by finding dozens of previously unknown vulnerabilities in popular websites such as Yahoo and Word Press, when they connect to social networks such as Twitter and Facebook.

机译：社交登录和社交共享正成为Web应用程序越来越流行的功能。这一成功主要归功于著名社交网络（例如Facebook，Twitter和Google）基于新的开放标准（例如OAuth 2.0授权协议）提供的API和支持。对这些协议的形式分析必须考虑恶意网站和常见的Web应用程序漏洞，例如跨站点请求伪造和开放重定向程序。我们在应用的pi演算中对OAuth 2.0协议的几种配置进行建模，并使用ProVerif对其进行验证。我们的模型依赖于WebSpi，WebSpi是用于对Web应用程序和基于Web的攻击者建模的新库，旨在帮助发现具体的网站攻击。通过在流行网站（例如Yahoo和Word Press）连接到Twitter和Facebook等社交网络时发现数十个以前未知的漏洞，我们的方法得到了验证。

著录项

来源
《2012 IEEE 25th computer security foundations symposium》|2012年|p.247- 262|共16页
会议地点 Cambridge MA(US)
作者
Bansal Chetan; Bhargavan Karthikeyan; Maffeis Sergio;
展开▼
作者单位

展开▼
会议组织
原文格式 PDF
正文语种 eng
中图分类安全保密;
关键词

相似文献

外文文献
中文文献
专利

1. Discovering concrete attacks on website authorization by formal analysis [J] . Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Journal of computer security . 2014,第4期

机译：通过形式分析发现对网站授权的具体攻击
2. A formal analysis of Trusted Platform Module 2.0 hash-based message authentication code authorization under digital rights management scenario [J] . Yu Fajiang, Zhang Huanguo, Zhao Bo, Security and Communications Networks . 2016,第15期

机译：数字权限管理场景下基于Trusted Platform Module 2.0哈希的消息认证代码授权的形式分析
3. An action-based approach to the formal specification and automatic analysis of business processes under authorization constraints [J] . Alessandro Armando, Enrico Giunchiglia, Marco Maratea, Journal of computer and system sciences . 2012,第1期

机译：在授权约束下基于动作的形式规范和业务流程的自动分析方法
4. Discovering Concrete Attacks on Website Authorization by Formal Analysis [C] . Bansal Chetan, Bhargavan Karthikeyan, Maffeis Sergio IEEE Computer Security Foundations Symposium . 2012

机译：通过正式分析发现对网站授权的具体攻击
5. A Formal Framework for Cascading Attack Analysis in the Microgrid Islanding Detection Process [D] . Datta, Amarjit. 2018

机译：微电网孤岛检测过程中级联攻击分析的正式框架
6. Ethics and the marketing authorization of pharmaceuticals: what happens to ethical issues discovered post-trial and pre-marketing authorization? [O] . Rosemarie D. L. C. Bernabe, Ghislaine J. M. W. van Thiel, Nancy S. Breekveldt, 2020

机译：道德和药品的营销授权：在审判后和营销前授权的道德问题上会发生什么？
7. Discovering concrete attacks on website authorization by formal analysis [O] . Chetan Bansal, Karthikeyan Bhargavan, Sergio Maffeis 2015

机译：通过正式分析发现对网站授权的具体攻击
8. Formal Methods for Information Protection Technology Task 1: Formal Grammar-Based Approach and Tool for Simulation Attacks against Computer Network Part II [R] . Karsayev, O. V. , Kotenko, I. V. 2004

机译：信息保护技术的形式化方法任务1：基于形式语法的方法和模拟计算机网络攻击工具第二部分

Discovering Concrete Attacks on Website Authorization by Formal Analysis

摘要

著录项

引文网络

相似文献

相关主题

期刊订阅