Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Issue title: Web Application Security – Web @ 25
Guest editors: Lieven DesmetGuest Editor, Martin JohnsGuest Editor, Benjamin LivshitsGuest Editor and Andrei SabelfeldGuest Editor
Article type: Research Article
Authors: Bansal, Chetana | Bhargavan, Karthikeyanb; * | Delignat-Lavaud, Antoineb | Maffeis, Sergioc
Affiliations: [a] BITS Pilani-Goa, Goa, India | [b] Inria Paris-Rocquencourt, Paris, France | [c] Imperial College London, London, UK
Correspondence: [*] Corresponding author: Karthikeyan Bhargavan, Prosecco, Inria Paris, 23 avenue d'Italie, CS 81321, 75214 Paris Cedex 13, France. E-mail: karthikeyan.bhargavan@inria.fr.
Note: [1] This paper is an extended and revised version of [13].
Abstract: Social sign-on and social sharing are becoming an ever more popular feature of web applications. This success is largely due to the APIs and support offered by prominent social networks, such as Facebook, Twitter and Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol. A formal analysis of these protocols must account for malicious websites and common web application vulnerabilities, such as cross-site request forgery and open redirectors. We model several configurations of the OAuth 2.0 protocol in the applied pi-calculus and verify them using ProVerif. Our models rely on WebSpi, a new library for modeling web applications and web-based attackers that is designed to help discover concrete attacks on websites. To ease the task of writing formal models in our framework, we present a model extraction tool that automatically translates programs written in subsets of PHP and JavaScript to the applied pi-calculus. Our approach is validated by finding dozens of previously unknown vulnerabilities in popular websites such as Yahoo and WordPress, when they connect to social networks such as Twitter and Facebook.
Keywords: Web security, pi-calculus, formal verification, automated analysis, ProVerif, threat modeling, web attacks, cross-site request forgery, open redirectors, OAuth protocol
DOI: 10.3233/JCS-140503
Journal: Journal of Computer Security, vol. 22, no. 4, pp. 601-657, 2014
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl