{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T07:24:41Z","timestamp":1780471481413,"version":"3.54.1"},"publisher-location":"Cham","reference-count":50,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319205496","type":"print"},{"value":"9783319205502","type":"electronic"}],"license":[{"start":{"date-parts":[[2015,1,1]],"date-time":"2015-01-01T00:00:00Z","timestamp":1420070400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2015,1,1]],"date-time":"2015-01-01T00:00:00Z","timestamp":1420070400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015]]},"DOI":"10.1007\/978-3-319-20550-2_13","type":"book-chapter","created":{"date-parts":[[2015,6,22]],"date-time":"2015-06-22T01:55:06Z","timestamp":1434938106000},"page":"239-260","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":37,"title":["More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations"],"prefix":"10.1007","author":[{"given":"Ethan","family":"Shernan","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Henry","family":"Carter","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Dave","family":"Tian","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Patrick","family":"Traynor","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Kevin","family":"Butler","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2015,6,23]]},"reference":[{"key":"13_CR1","unstructured":"Alexa Internet, Inc.: Alexa top sites (2014). http:\/\/www.alexa.com\/"},{"key":"13_CR2","unstructured":"Alur, D., Crupi, J., Malks, D.: Core j2ee patterns: best practices and design strategies (2001). http:\/\/www.corej2eepatterns.com\/Design\/PresoDesign.htm"},{"key":"13_CR3","unstructured":"AOL Inc.: Php sample (2014). http:\/\/identity.aol.com\/documentation\/start\/oauth2\/web-site-integration\/php-sample\/"},{"key":"13_CR4","unstructured":"Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: Authscan: automatic extraction of web authentication protocols from implementations. In: Proceedings of the Network and Distributed System Security Symposium (2013)"},{"key":"13_CR5","doi-asserted-by":"crossref","unstructured":"Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: Proceedings of the IEEE Computer Security Foundations Symposium (2012)","DOI":"10.1109\/CSF.2012.27"},{"key":"13_CR6","doi-asserted-by":"crossref","unstructured":"Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the ACM Conference on Computer and Communications Security (2008)","DOI":"10.1145\/1455770.1455782"},{"key":"13_CR7","unstructured":"Blizzard Entertainment, Inc.: Using OAuth (2014). https:\/\/dev.battle.net\/docs\/read\/oauth"},{"key":"13_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1007\/978-3-319-11379-1_14","volume-title":"Research in Attacks, Intrusions and Defenses","author":"Y Cao","year":"2014","unstructured":"Cao, Y., Shoshitaishvili, Y., Borgolte, K., Kruegel, C., Vigna, G., Chen, Y.: Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 276\u2013298. Springer, Heidelberg (2014)"},{"key":"13_CR9","unstructured":"Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011\/526 (2011). http:\/\/eprint.iacr.org\/"},{"key":"13_CR10","doi-asserted-by":"crossref","unstructured":"Chen, E., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the ACM Conference on Computer and Communications Security (2014)","DOI":"10.1145\/2660267.2660323"},{"key":"13_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1007\/978-3-642-54568-9_15","volume-title":"Data Privacy Management and Autonomous Spontaneous Security","author":"R-A Cherrueau","year":"2014","unstructured":"Cherrueau, R.-A., Douence, R., Royer, J.C., S\u00fcdholt, M., de Oliveira, A.S., Roudier, Y., Dell\u2019Amico, M.: Reference monitors for security and interoperability in OAuth 2.0. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W.M. (eds.) DPM 2013. LNCS, vol. 8247, pp. 236\u2013249. Springer, Heidelberg (2014)"},{"key":"13_CR12","doi-asserted-by":"crossref","unstructured":"Ferreira, H.G.C., de Sousa Junior, R.T., de Deus, F.E.G., Canedo, E.D.: Proposal of a secure, deployable and transparent middleware for internet of things. In: Proceedings of the Iberian Conference on Information Systems & Technologies (CISTI) (2014)","DOI":"10.1109\/CISTI.2014.6877069"},{"key":"13_CR13","doi-asserted-by":"crossref","unstructured":"Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the ACM Conference on Computer and Communications Security (2012)","DOI":"10.1145\/2382196.2382204"},{"issue":"3","key":"13_CR14","first-page":"1","volume":"22","author":"K Gibbons","year":"2014","unstructured":"Gibbons, K., Raw, J.O.: Security evaluation of the OAuth 2.0 framework. Inf. Manage. Comput. Secur. 22(3), 1\u20138 (2014)","journal-title":"Inf. Manage. Comput. Secur."},{"key":"13_CR15","unstructured":"Hammer, E.: OAuth 2.0 (without signatures) is bad for the web (2010). http:\/\/hueniverse.com\/2010\/09\/15\/oauth-2-0-without-signatures-is-bad-for-the-web\/"},{"key":"13_CR16","unstructured":"Hammer, E.: OAuth 2.0 and the road to hell (2012). http:\/\/hueniverse.com\/2012\/07\/26\/oauth-2-0-and-the-road-to-hell\/"},{"key":"13_CR17","doi-asserted-by":"crossref","unstructured":"Hammer-Lahav, E.: The OAuth 1.0 protocol. RFC 5849, RFC Editor, April 2010. http:\/\/tools.ietf.org\/html\/rfc5849","DOI":"10.17487\/rfc5849"},{"key":"13_CR18","doi-asserted-by":"crossref","unstructured":"Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749, RFC Editor, October 2012. http:\/\/tools.ietf.org\/html\/rfc6749","DOI":"10.17487\/rfc6749"},{"issue":"4","key":"13_CR19","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1145\/54289.871709","volume":"22","author":"N Hardy","year":"1988","unstructured":"Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Operating Syst. Rev. 22(4), 36\u201338 (1988)","journal-title":"SIGOPS Operating Syst. Rev."},{"issue":"3","key":"13_CR20","first-page":"134","volume":"56","author":"D Hhnlein","year":"2014","unstructured":"Hhnlein, D., Wich, T., Schmlz, J., Haase, H.M.: The evolution of identity management using the example of web-based applications. Inf. Technol. 56(3), 134\u2013140 (2014)","journal-title":"Inf. Technol."},{"key":"13_CR21","unstructured":"Homakov, E.: OAuth1, OAuth2, OAuth...? (2013). http:\/\/homakov.blogspot.jp\/2013\/03\/oauth1-oauth2-oauth.html"},{"key":"13_CR22","unstructured":"IFTTT Inc.: If this then that (2014). https:\/\/ifttt.com\/"},{"key":"13_CR23","unstructured":"INK361: Instagram web viewer - ink361 (2014). http:\/\/ink361.com\/"},{"key":"13_CR24","unstructured":"Instagram: Authentication (2014). http:\/\/instagram.com\/developer\/authentication\/"},{"key":"13_CR25","doi-asserted-by":"crossref","unstructured":"Jones, M., Hardt, D.: The OAuth 2.0 authorization framework: bearer token usage. RFC 6750, RFC Editor, October 2012. http:\/\/tools.ietf.org\/html\/rfc6750","DOI":"10.17487\/rfc6750"},{"key":"13_CR26","doi-asserted-by":"crossref","unstructured":"Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the International Conference on Security and Privacy in Communication Networks (Securecomm) (2006)","DOI":"10.1109\/SECCOMW.2006.359531"},{"key":"13_CR27","unstructured":"K\u00e4fer, K.: Cross site request forgery (2008). http:\/\/dump.kkaefer.com\/csrf-paper.pdf"},{"issue":"6","key":"13_CR28","first-page":"93","volume":"2","author":"G Kaur","year":"2013","unstructured":"Kaur, G., Aggarwal, D.: A survey paper on social sign-on protocol OAuth 2.0. J. Eng. Comput. Appl. Sci. 2(6), 93\u201396 (2013)","journal-title":"J. Eng. Comput. Appl. Sci."},{"key":"13_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"529","DOI":"10.1007\/978-3-319-13257-0_34","volume-title":"Information Security","author":"W Li","year":"2014","unstructured":"Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529\u2013541. Springer, Heidelberg (2014)"},{"key":"13_CR30","doi-asserted-by":"crossref","unstructured":"Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor, January 2013. http:\/\/tools.ietf.org\/html\/rfc6819","DOI":"10.17487\/rfc6819"},{"key":"13_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"238","DOI":"10.1007\/978-3-642-03549-4_15","volume-title":"Financial Cryptography and Data Security","author":"Z Mao","year":"2009","unstructured":"Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238\u2013255. Springer, Heidelberg (2009)"},{"key":"13_CR32","unstructured":"Microsoft: liveconnect-client.js (2014). https:\/\/github.com\/OneNoteDev\/OneNoteAPISampleNodejs\/blob\/master\/lib\/liveconnect-client.js"},{"key":"13_CR33","doi-asserted-by":"crossref","unstructured":"Nauman, M., Khan, S., Othman, A.T., Musa, S.U., Rehman, N.U.: POAuth: privacy-aware open authorization for native apps on smartphone platforms. In: Proceedings of the International Conference on Ubiquitous Information Management and Communication (2012)","DOI":"10.1145\/2184751.2184825"},{"key":"13_CR34","unstructured":"Patterson, P.: Digging deeper into OAuth 2.0 on force.com (2014). https:\/\/developer.salesforce.com\/page\/Digging_Deeper_into_OAuth_2.0_on_Force.com"},{"key":"13_CR35","unstructured":"Python Software Foundation: urllib2 (2015). https:\/\/docs.python.org\/2\/library\/urllib2.html"},{"key":"13_CR36","unstructured":"Richardson, L.: Beautiful soup (2014). http:\/\/www.crummy.com\/software\/BeautifulSoup\/"},{"key":"13_CR37","unstructured":"Scrapinghub: Scrapy (2015). http:\/\/scrapy.org\/"},{"key":"13_CR38","unstructured":"Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking saml: be whoever you want to be. In: Proceedings of the USENIX Security Symposium (2012)"},{"key":"13_CR39","doi-asserted-by":"crossref","unstructured":"Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the ACM Conference on Computer and Communications Security (2012)","DOI":"10.1145\/2382196.2382238"},{"issue":"1","key":"13_CR40","doi-asserted-by":"publisher","first-page":"2:1","DOI":"10.1145\/2532639","volume":"13","author":"ST Sun","year":"2013","unstructured":"Sun, S.T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: Investigating users\u2019 perspectives of web single sign-on: conceptual gaps and acceptance model. ACM Trans. Internet Technol. 13(1), 2:1\u20132:35 (2013)","journal-title":"ACM Trans. Internet Technol."},{"key":"13_CR41","unstructured":"The crawler4j community: crawler4j (2015). https:\/\/code.google.com\/p\/crawler4j\/"},{"key":"13_CR42","unstructured":"The OpenID Foundation: OpenID (2015). http:\/\/openid.net\/"},{"key":"13_CR43","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"151","DOI":"10.1007\/978-3-319-04918-2_15","volume-title":"Passive and Active Measurement","author":"A Vapen","year":"2014","unstructured":"Vapen, A., Carlsson, N., Mahanti, A., Shahmehri, N.: Third-Party identity management usage on the web. In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 151\u2013162. Springer, Heidelberg (2014)"},{"key":"13_CR44","doi-asserted-by":"crossref","unstructured":"Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)","DOI":"10.1109\/SP.2012.30"},{"key":"13_CR45","unstructured":"Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKs: uncovering assumptions underlying secure authentication and authorization. In: Proceedings of the USENIX Security Symposium (2013)"},{"key":"13_CR46","unstructured":"Xing, L., Chen, Y., Wang, X., Chen, S.: Integuard: toward automatic protection of third-party web service integrations. In: Proceedings of the Network and Distributed System Security Symposium (2013)"},{"key":"13_CR47","doi-asserted-by":"crossref","unstructured":"Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM) (2013)","DOI":"10.1109\/PACRIM.2013.6625487"},{"key":"13_CR48","unstructured":"Yue, C.: The devil is phishing: rethinking web single sign-on systems security. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2013)"},{"key":"13_CR49","volume-title":"Cross-Site Request Forgeries: Exploitation and prevention","author":"W Zeller","year":"2008","unstructured":"Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and prevention. Princeton University, Tech. rep. (2008)"},{"key":"13_CR50","unstructured":"Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: Proceedings of the USENIX Security Symposium (2014)"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-20550-2_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,2,21]],"date-time":"2023-02-21T02:03:58Z","timestamp":1676945038000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-20550-2_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015]]},"ISBN":["9783319205496","9783319205502"],"references-count":50,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-20550-2_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015]]},"assertion":[{"value":"23 June 2015","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}