Bulwark: Holistic and Verified Security Monitoring of Web Protocols

Veronese, Lorenzo; Calzavara, Stefano; Compagna, Luca

doi:10.1007/978-3-030-58951-6_2

Cited by 1 publication

(1 citation statement)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Calzavara et al [28] study the browser-side (i.e., client-side) security for using OAuth 2.0 while considering the service providers as black-box. Veronese et al [42] propose a networktraffic-based security monitoring system for different entities of OAuth. However, these studies are focused on the security implications on the client-side OAuth flow and depend on manual analysis by security experts such as monitoring the network traffic or inferring the protocol flows and cannot be applied or extended to detect missing or incorrect security checks on the server-side implementation.…”

Section: Related Workmentioning

confidence: 99%

Cerberus: Query-driven Scalable Vulnerability Detection in OAuth Service Provider Implementations

Rahat,

Feng,

Tian

2021

Preprint

View full text Add to dashboard Cite

OAuth protocols have been widely adopted to simplify user authentication and service authorization for thirdparty applications. However, little effort has been devoted to automatically checking the security of libraries that are widely used by service providers. In this paper, we formalize the OAuth specifications and security best practices, and design OAuthShield, an automated static analyzer, to find logical flaws and identify vulnerabilities in the implementation of OAuth authorization server libraries. To efficiently detect OAuth violations in a large codebase, OAuthShield employs a demand-driven algorithm for answering queries about OAuth specifications. To demonstrate the effectiveness of OAuthShield, we evaluate it on ten popular OAuth libraries that have millions of downloads. Among these high-profile libraries, OAuthShield has identified 47 vulnerabilities from ten classes of logical flaws, 24 of which were previously unknown. We got acknowledged by the developers of six libraries, and had three accepted CVEs.

show abstract

Section: Related Workmentioning

confidence: 99%