面向OAuth2.0授权服务API的账号劫持攻击威胁检测  被引量：13

作　　者：刘奇旭[1,2] 邱凯丽 王乙文 陈艳辉 陈浪平 刘潮歌 LIU Qixu;QIU Kaili;WANG Yiwen;CHEN Yanhui;CHEN Langping;LIU Chaoge(Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China)

机构地区：[1]中国科学院信息工程研究所,北京100093 [2]中国科学院大学网络空间安全学院,北京100049

出　　处：《通信学报》2019年第6期40-50,共11页Journal on Communications

基　　金：国家重点研发计划基金资助项目(No.2016YFB0801604,No.2016QY08D1602);中国科学院网络测评技术重点实验室基金资助项目;网络安全防护技术北京市重点实验室基金资助项目~~

摘　　要：OAuth2.0授权协议在简化用户登录第三方应用的同时,也存在泄露用户隐私数据的风险,甚至引发用户账号被攻击劫持。通过分析OAuth2.0协议的脆弱点,构建了围绕授权码的账号劫持攻击模型,提出了基于差异流量分析的脆弱性应用程序编程接口(API)识别方法和基于授权认证网络流量监测的账号劫持攻击验证方法,设计并实现了面向OAuth2.0授权服务API的账号劫持攻击威胁检测框架OScan。通过对Alexa排名前10 000的网站中真实部署的3 853个授权服务API进行大规模测试,发现360个存在脆弱性的API。经过进一步验证,发现了80个网站存在账号劫持攻击威胁。相较类似工具,OScan在覆盖身份提供方(IdP)全面性、检测依赖方(RP)数量和威胁检测完整性等方面均具有明显的优势。OAuth2.0 protocol has been widely adopted to simplify user login to third-party applications,at the same time,existing risk of leaking user privacy data,what even worse,causing user accounts to be hijacked.An account hijacking attack model around authorization code was built by analyzing the vulnerabilities of the OAuth2.0 protocol.A vulnerable API identification method based on differential traffic analysis and an account hijacking verification method based on authorized authentication traffic monitoring was proposed.An account hijacking attack threat detection framework OScan for OAuth2.0 authorization API was designed and implemented.Through a large-scale detection of the 3 853 authorization APIs deployed on the Alexa top 10 000 websites,360 vulnerable APIs were discovered.The further verification showed that 80 websites were found to have threat of account hijacking attack.Compared with similar tools,OScan has significant advantages in covering the number of identity provider,the number of detected relying party,as well as the integrity of risk detection.

关 键 词：OAuth2.0协议 应用程序编程接口 账号劫持 第三方应用 

分 类 号：TP309.5[自动化与计算机技术—计算机系统结构]