Account hijacking threat attack detection for OAuth2.0 authorization API
OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnera...
Saved in:
Main Authors: | , , , , , |
---|---|
Format: | Article |
Language: | zho |
Published: |
Editorial Department of Journal on Communications
2019-06-01
|
Series: | Tongxin xuebao |
Subjects: | |
Online Access: | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2019144/ |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Summary: | OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites,360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools,OScan has significant advantages in covering the number of identity provider,the number of detected relying party,as well as the integrity of risk detection. |
---|---|
ISSN: | 1000-436X |