WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring

We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability.

[1]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[2]  Ralf Küsters,et al.  A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[3]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[4]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[5]  Wouter Joosen,et al.  SessionShield: Lightweight Protection against Session Hijacking , 2011, ESSoS.

[6]  Nataliia Bielova Survey on JavaScript security policies and their enforcement mechanisms in a web browser , 2013, J. Log. Algebraic Methods Program..

[7]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[8]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[9]  Karthikeyan Bhargavan,et al.  Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage , 2013, POST.

[10]  Yuan Tian,et al.  Run-time Monitoring and Formal Analysis of Information Flows in Chromium , 2015, NDSS.

[11]  Jörg Schwenk,et al.  SoK: Single Sign-On Security — An Evaluation of OpenID Connect , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[12]  Riccardo Focardi,et al.  Micro-policies for Web Session Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[13]  Prabath Siriwardena,et al.  OAuth 2.0 , 2014 .

[14]  Chris J. Mitchell,et al.  Analysing the Security of Google's Implementation of OpenID Connect , 2015, DIMVA.

[15]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[16]  Pili Hu,et al.  Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations , 2016, AsiaCCS.

[17]  Michele Bugliesi,et al.  CookiExt: Patching the browser against session hijacking attacks , 2015, J. Comput. Secur..

[18]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[19]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[20]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[21]  Helen J. Wang,et al.  Lightweight server support for browser-based CSRF protection , 2013, WWW.

[22]  Yuchen Zhou,et al.  SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities , 2014, USENIX Security Symposium.

[23]  Wouter Joosen,et al.  Serene: Self-Reliant Client-Side Protection against Session Fixation , 2012, DAIS.

[24]  Andrei Sabelfeld,et al.  Measuring login webpage security , 2017, SAC.

[25]  Karthikeyan Bhargavan,et al.  Discovering concrete attacks on website authorization by formal analysis , 2014, J. Comput. Secur..

[26]  Ben Stock,et al.  Protecting users against XSS-based password manager abuse , 2014, AsiaCCS.

[27]  Ahmad-Reza Sadeghi,et al.  Browser Model for Security Analysis of Browser-Based Protocols , 2005, ESORICS.

[28]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[29]  Ahmad-Reza Sadeghi,et al.  Proving a WS-federation passive requestor profile with a browser model , 2005, SWS '05.

[30]  Deepak Garg,et al.  Information Flow Control for Event Handling and the DOM in Web Browsers , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[31]  Ralf Küsters,et al.  An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System , 2014, 2014 IEEE Symposium on Security and Privacy.

[32]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[33]  Mark Ryan,et al.  Applied pi calculus , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[34]  Andrei Sabelfeld,et al.  Information-flow security for JavaScript and its APIs , 2016, J. Comput. Secur..

[35]  Ralf Küsters,et al.  SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web , 2015, CCS.

[36]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[37]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[38]  Samuel T. King,et al.  Fortifying web-based applications automatically , 2011, CCS '11.

[39]  Alessandro Armando,et al.  An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations , 2013, Comput. Secur..

[40]  Chris J. Mitchell,et al.  Security Issues in OAuth 2.0 SSO Implementations , 2014, ISC.

[41]  Wouter Joosen,et al.  Automatic and Precise Client-Side Protection against CSRF Attacks , 2011, ESORICS.

[42]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.