Discovering concrete attacks on website authorization by formal analysis
C Bansal, K Bhargavan… - Journal of Computer …, 2014 - content.iospress.com
Social sign-on and social sharing are becoming an ever more popular feature of web
applications. This success is largely due to the APIs and support offered by prominent social …
applications. This success is largely due to the APIs and support offered by prominent social …
Language-based defenses against untrusted browser origins
K Bhargavan, A Delignat-Lavaud… - 22nd USENIX Security …, 2013 - usenix.org
We present new attacks and robust countermeasures for security-sensitive components,
such as single sign-on APIs and client-side cryptographic libraries, that need to be safely …
such as single sign-on APIs and client-side cryptographic libraries, that need to be safely …
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
ST Sun, K Beznosov - Proceedings of the 2012 ACM conference on …, 2012 - dl.acm.org
Millions of web users today employ their Facebook accounts to sign into more than one
million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled …
million relying party (RP) websites. This web-based single sign-on (SSO) scheme is enabled …
A survey on server-side approaches to securing web applications
Web applications are one of the most prevalent platforms for information and service
delivery over the Internet today. As they are increasingly used for critical services, web …
delivery over the Internet today. As they are increasingly used for critical services, web …
{SSOScan}: automated testing of web applications for single {Sign-On} vulnerabilities
Correctly integrating third-party services into web applications is challenging, and mistakes
can have grave consequences when third-party services are used for security-critical tasks …
can have grave consequences when third-party services are used for security-critical tasks …
Integuard: Toward automatic protection of third-party web service integrations
A web application today often utilizes web APIs to incorporate third-party services into its
functionality. Such API integration, however, is full of security perils: recent studies show that …
functionality. Such API integration, however, is full of security perils: recent studies show that …
[PDF][PDF] Awakening the web's sleeper agents: Misusing service workers for privacy leakage
Service workers are a powerful technology supported by all major modern browsers that can
improve users' browsing experience by offering capabilities similar to those of native …
improve users' browsing experience by offering capabilities similar to those of native …
More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations
OAuth 2.0 provides an open framework for the authorization of users across the web. While
the standard enumerates mandatory security protections for a variety of attacks, many …
the standard enumerates mandatory security protections for a variety of attacks, many …
{JAW}: Studying client-side {CSRF} with hybrid property graphs and declarative traversals
S Khodayari, G Pellegrino - 30th usenix security symposium (usenix …, 2021 - usenix.org
Client-side CSRF is a new type of CSRF vulnerability where the adversary can trick the
client-side JavaScript program to send a forged HTTP request to a vulnerable target site by …
client-side JavaScript program to send a forged HTTP request to a vulnerable target site by …
[PDF][PDF] Nemesis: Preventing authentication & [and] access control vulnerabilities in web applications
M Dalton, C Kozyrakis, N Zeldovich - 2009 - usenix.org
This paper presents Nemesis, a novel methodology for mitigating authentication bypass and
access control vulnerabilities in existing web applications. Authentication attacks occur …
access control vulnerabilities in existing web applications. Authentication attacks occur …