Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect
Wanpeng Li, Chris J Mitchell, and Thomas Chen
TL;DR
This paper addresses the security vulnerabilities of OAuth 2.0 and OpenID Connect, specifically CSRF attacks, and proposes a new mitigation technique to enhance user account security during single sign-on processes.
Contribution
The paper introduces a novel technique to effectively mitigate CSRF attacks on OAuth 2.0 and OpenID Connect implementations.
Findings
The proposed method reduces CSRF attack success rates.
Implementation of the technique improves security without disrupting user experience.
The approach is applicable to real-world OAuth and OpenID Connect deployments.
Abstract
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWeb Application Security Vulnerabilities · Security and Verification in Computing · Cryptography and Data Security