Account hijacking threat attack detection for OAuth2.0 authorization API
OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnera...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Editorial Department of Journal on Communications
2019-06-01
|
| Series: | Tongxin xuebao |
| Subjects: | |
| Online Access: | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2019144/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841539374852866048 |
|---|---|
| author | Qixu LIU Kaili QIU Yiwen WANG Yanhui CHEN Langping CHEN Chaoge LIU |
| author_facet | Qixu LIU Kaili QIU Yiwen WANG Yanhui CHEN Langping CHEN Chaoge LIU |
| author_sort | Qixu LIU |
| collection | DOAJ |
| description | OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites,360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools,OScan has significant advantages in covering the number of identity provider,the number of detected relying party,as well as the integrity of risk detection. |
| format | Article |
| id | doaj-art-b0cdcfd7e42441bf8f1504632a8fde2c |
| institution | Kabale University |
| issn | 1000-436X |
| language | zho |
| publishDate | 2019-06-01 |
| publisher | Editorial Department of Journal on Communications |
| record_format | Article |
| series | Tongxin xuebao |
| spelling | doaj-art-b0cdcfd7e42441bf8f1504632a8fde2c2025-01-14T07:17:04ZzhoEditorial Department of Journal on CommunicationsTongxin xuebao1000-436X2019-06-0140405059727509Account hijacking threat attack detection for OAuth2.0 authorization APIQixu LIUKaili QIUYiwen WANGYanhui CHENLangping CHENChaoge LIUOAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites,360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools,OScan has significant advantages in covering the number of identity provider,the number of detected relying party,as well as the integrity of risk detection.http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2019144/OAuth2.0 protocolapplication programming interfaceaccount hijackingthe third-party application |
| spellingShingle | Qixu LIU Kaili QIU Yiwen WANG Yanhui CHEN Langping CHEN Chaoge LIU Account hijacking threat attack detection for OAuth2.0 authorization API Tongxin xuebao OAuth2.0 protocol application programming interface account hijacking the third-party application |
| title | Account hijacking threat attack detection for OAuth2.0 authorization API |
| title_full | Account hijacking threat attack detection for OAuth2.0 authorization API |
| title_fullStr | Account hijacking threat attack detection for OAuth2.0 authorization API |
| title_full_unstemmed | Account hijacking threat attack detection for OAuth2.0 authorization API |
| title_short | Account hijacking threat attack detection for OAuth2.0 authorization API |
| title_sort | account hijacking threat attack detection for oauth2 0 authorization api |
| topic | OAuth2.0 protocol application programming interface account hijacking the third-party application |
| url | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2019144/ |
| work_keys_str_mv | AT qixuliu accounthijackingthreatattackdetectionforoauth20authorizationapi AT kailiqiu accounthijackingthreatattackdetectionforoauth20authorizationapi AT yiwenwang accounthijackingthreatattackdetectionforoauth20authorizationapi AT yanhuichen accounthijackingthreatattackdetectionforoauth20authorizationapi AT langpingchen accounthijackingthreatattackdetectionforoauth20authorizationapi AT chaogeliu accounthijackingthreatattackdetectionforoauth20authorizationapi |