{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,1]],"date-time":"2025-11-01T14:39:04Z","timestamp":1762007944201,"version":"build-2065373602"},"publisher-location":"Cham","reference-count":24,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030032500"},{"type":"electronic","value":"9783030032517"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-030-03251-7_3","type":"book-chapter","created":{"date-parts":[[2018,11,23]],"date-time":"2018-11-23T07:12:07Z","timestamp":1542957127000},"page":"24-41","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations"],"prefix":"10.1007","author":[{"given":"Wanpeng","family":"Li","sequence":"first","affiliation":[]},{"given":"Chris J.","family":"Mitchell","sequence":"additional","affiliation":[]},{"given":"Thomas","family":"Chen","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,11,24]]},"reference":[{"issue":"4","key":"3_CR1","doi-asserted-by":"publisher","first-page":"601","DOI":"10.3233\/JCS-140503","volume":"22","author":"C Bansal","year":"2014","unstructured":"Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. J. Comput. Secur. 22(4), 601\u2013657 (2014). https:\/\/doi.org\/10.3233\/JCS-140503","journal-title":"J. Comput. Secur."},{"key":"3_CR2","unstructured":"Bansal, C., Bhargavan, K., Maffeis, S.: WebSpi and web application models (2011). http:\/\/prosecco.gforge.inria.fr\/webspi\/CSF\/"},{"key":"3_CR3","unstructured":"Blanchet, B., Smyth, B.: ProVerif: cryptographic protocol verifier in the formal model. http:\/\/prosecco.gforge.inria.fr\/personal\/bblanche\/proverif\/"},{"key":"3_CR4","unstructured":"Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011, 526 (2011)"},{"key":"3_CR5","doi-asserted-by":"publisher","unstructured":"Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 3\u20137 November 2014, Scottsdale, AZ, USA, pp. 892\u2013903. ACM (2014). https:\/\/doi.org\/10.1145\/2660267.2660323","DOI":"10.1145\/2660267.2660323"},{"key":"3_CR6","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"390","DOI":"10.1007\/3-540-61474-5","volume-title":"Computer Aided Verification","author":"DL Dill","year":"1996","unstructured":"Dill, D.L.: The murphi verification system. In: Alur, R., Henzinger, T.A. (eds.) Computer Aided Verification. LNCS, pp. 390\u2013393. Springer, Heidelberg (1996). https:\/\/doi.org\/10.1007\/3-540-61474-5"},{"key":"3_CR7","doi-asserted-by":"publisher","unstructured":"Fett, D., K\u00fcsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24\u201328 October 2016, Vienna, Austria, pp. 1204\u20131215. ACM (2016). https:\/\/doi.org\/10.1145\/2976749.2978385","DOI":"10.1145\/2976749.2978385"},{"key":"3_CR8","doi-asserted-by":"crossref","unstructured":"Hardt, D. (ed.): RFC 6749: the OAuth 2.0 authorization framework, October 2012. http:\/\/tools.ietf.org\/html\/rfc6749","DOI":"10.17487\/rfc6749"},{"key":"3_CR9","unstructured":"Jackson, D.: Alloy 4.1 (2010). http:\/\/alloy.mit.edu\/community\/"},{"key":"3_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"529","DOI":"10.1007\/978-3-319-13257-0_34","volume-title":"Information Security","author":"W Li","year":"2014","unstructured":"Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529\u2013541. Springer, Cham (2014). https:\/\/doi.org\/10.1007\/978-3-319-13257-0_34"},{"key":"3_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"357","DOI":"10.1007\/978-3-319-40667-1_18","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"W Li","year":"2016","unstructured":"Li, W., Mitchell, C.J.: Analysing the security of Google\u2019s implementation of OpenID connect. In: Caballero, J., Zurutuza, U., Rodr\u00edguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 357\u2013376. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-40667-1_18"},{"key":"3_CR12","unstructured":"Li, W., Mitchell, C.J.: Does the IdP mix-up attack really work? (2016). https:\/\/infsec.uni-trier.de\/download\/oauth-workshop-2016\/OSW2016_paper_1.pdf"},{"key":"3_CR13","unstructured":"Li, W., Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect. CoRR abs\/1801.07983 (2018). https:\/\/arxiv.org\/abs\/1801.07983"},{"key":"3_CR14","unstructured":"Lodderstedt, T., McGloin, M., Hunt, P.: RFC 6819: OAuth 2.0 threat model and security considerations (2013). http:\/\/tools.ietf.org\/html\/rfc6819"},{"key":"3_CR15","unstructured":"Masinter, L., Berners-Lee, T., Fielding, R.T.: RFC 3986: uniform resource identifier (URI): Generic syntax (2005). https:\/\/www.ietf.org\/rfc\/rfc3986.txt"},{"key":"3_CR16","unstructured":"OWASP Foundation: Owasp top ten project (2013). https:\/\/www.owasp.org\/index.php\/Top10#OWASP_Top_10_for_2013"},{"key":"3_CR17","doi-asserted-by":"crossref","unstructured":"Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using Alloy framework. In: Proceedings of the International Conference on Communication Systems and Network Technologies, CSNT 2011, pp. 655\u2013659. IEEE (2011)","DOI":"10.1109\/CSNT.2011.141"},{"key":"3_CR18","doi-asserted-by":"publisher","unstructured":"Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Bertino, E., Sandhu, R.S., Park, J. (eds.) Fourth ACM Conference on Data and Application Security and Privacy, CODASPY 2014, 03\u201305 March 2014, San Antonio, TX, USA, pp. 167\u2013170. ACM (2014). https:\/\/doi.org\/10.1145\/2557547.2557588","DOI":"10.1145\/2557547.2557588"},{"key":"3_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1007\/978-3-319-20550-2_13","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"E Shernan","year":"2015","unstructured":"Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239\u2013260. Springer, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-20550-2_13"},{"key":"3_CR20","unstructured":"Slack, Q., Frostig, R.: Murphi analysis of OAuth 2.0 implicit grant flow (2011). http:\/\/www.stanford.edu\/class\/cs259\/WWW11\/"},{"key":"3_CR21","doi-asserted-by":"crossref","unstructured":"Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) the ACM Conference on Computer and Communications Security, CCS 2012, 16\u201318 October 2012, Raleigh, NC, USA, pp. 378\u2013390. ACM (2012)","DOI":"10.1145\/2382196.2382238"},{"key":"3_CR22","doi-asserted-by":"crossref","unstructured":"Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy, SP 2012, 21\u201323 May 2012, San Francisco, California, USA, pp. 365\u2013379. IEEE Computer Society (2012)","DOI":"10.1109\/SP.2012.30"},{"key":"3_CR23","doi-asserted-by":"publisher","unstructured":"Yang, R., Li, G., Lau, W.C., Zhang, K., Hu, P.: Model-based security testing: An empirical study on OAuth 2.0 implementations. In: Chen, X., Wang, X., Huang, X. (eds.) Proceedings of the 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016, 30 May\u20133 June 2016, Xi\u2019an, China, pp. 651\u2013662. ACM (2016). https:\/\/doi.org\/10.1145\/2897845.2897874","DOI":"10.1145\/2897845.2897874"},{"key":"3_CR24","unstructured":"Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, 20\u201322 August 2014, San Diego, CA, USA, pp. 495\u2013510. USENIX Association (2014). https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/zhou"}],"container-title":["Lecture Notes in Computer Science","Security Protocols XXVI"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-03251-7_3","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,11,5]],"date-time":"2019-11-05T23:06:28Z","timestamp":1572995188000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-03251-7_3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783030032500","9783030032517"],"references-count":24,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-03251-7_3","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"Security Protocols","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Cambridge International Workshop on Security Protocols","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Cambridge","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"United Kingdom","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2018","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 March 2018","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 March 2018","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"spw2018","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/spw2018.crocs.fi.muni.cz","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"the workshop is invitation only","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"email","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"0","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"17","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"N\/A% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"0.0","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"0.0","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"the workshop is invitation only","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}}]}}