Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

[1]  Chris J. Mitchell,et al.  Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect , 2018, ArXiv.

[2]  Pili Hu,et al.  Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations , 2016, AsiaCCS.

[3]  Ralf Küsters,et al.  A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[4]  Chris J. Mitchell,et al.  Analysing the Security of Google's Implementation of OpenID Connect , 2015, DIMVA.

[5]  C. Mitchell,et al.  Does the IdP Mix-Up attack really work ? , 2016 .

[6]  Patrick Traynor,et al.  More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations , 2015, DIMVA.

[7]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[8]  Chris J. Mitchell,et al.  Security Issues in OAuth 2.0 SSO Implementations , 2014, ISC.

[9]  Yuchen Zhou,et al.  SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities , 2014, USENIX Security Symposium.

[10]  Fadi Mohsen,et al.  Securing OAuth implementations in smart phones , 2014, CODASPY '14.

[11]  Phil Hunt,et al.  OAuth 2.0 Threat Model and Security Considerations , 2013, RFC.

[12]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[13]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[14]  K. Bhargavan,et al.  Discovering Concrete Attacks on Website Authorization by Formal Analysis , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[15]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[16]  Sunil Kumar,et al.  Formal Verification of OAuth 2.0 Using Alloy Framework , 2011, 2011 International Conference on Communication Systems and Network Technologies.

[17]  Charanjit S. Jutla,et al.  Universally Composable Security Analysis of OAuth v2.0 , 2011, IACR Cryptol. ePrint Arch..

[18]  Roy T. Fielding,et al.  Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[19]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[20]  David L. Dill,et al.  The Murphi Verification System , 1996, CAV.