{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T23:30:36Z","timestamp":1774999836149,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","license":[{"start":{"date-parts":[[2016,10,24]],"date-time":"2016-10-24T00:00:00Z","timestamp":1477267200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001659","name":"Deutsche Forschungsgemeinschaft","doi-asserted-by":"publisher","award":["KU 1434\/10-1"],"award-info":[{"award-number":["KU 1434\/10-1"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,10,24]]},"DOI":"10.1145\/2976749.2978385","type":"proceedings-article","created":{"date-parts":[[2016,10,25]],"date-time":"2016-10-25T12:46:35Z","timestamp":1477399595000},"page":"1204-1215","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":149,"title":["A Comprehensive Formal Security Analysis of OAuth 2.0"],"prefix":"10.1145","author":[{"given":"Daniel","family":"Fett","sequence":"first","affiliation":[{"name":"University of Trier, Trier, Germany"}]},{"given":"Ralf","family":"K\u00fcsters","sequence":"additional","affiliation":[{"name":"University of Trier, Trier, Germany"}]},{"given":"Guido","family":"Schmitz","sequence":"additional","affiliation":[{"name":"University of Trier, Trier, Germany"}]}],"member":"320","published-online":{"date-parts":[[2016,10,24]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/360204.360213"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2010.27"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2012.08.007"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1456396.1456397"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-36830-1_7"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-140503"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"key":"e_1_3_2_1_8_1","volume-title":"Encoding claims in the OAuth 2 state parameter using a JWT -- draft-bradley-oauth-jwt-encoded-state-05. IETF","author":"Bradley J.","year":"2015"},{"key":"e_1_3_2_1_9_1","volume-title":"Universally Composable Security Analysis of OAuth v2.0. IACR Cryptology ePrint Archive","author":"Chari S.","year":"2011"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660323"},{"key":"e_1_3_2_1_11_1","unstructured":"Chromium Project. HSTS Preload Submission. https:\/\/hstspreload.appspot.com\/.  Chromium Project. HSTS Preload Submission. https:\/\/hstspreload.appspot.com\/."},{"key":"e_1_3_2_1_12_1","unstructured":"Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014. http:\/\/www.w3.org\/TR\/2014\/REC-cors-20140116\/.  Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014. http:\/\/www.w3.org\/TR\/2014\/REC-cors-20140116\/."},{"key":"e_1_3_2_1_13_1","first-page":"w3c","article-title":"Referrer Policy -- Editor's Draft, 28 March 2016","author":"Eisinger J.","year":"2016","journal-title":"W3C."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.49"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-24174-6_3"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813726"},{"key":"e_1_3_2_1_18_1","volume-title":"and J","author":"Fielding R.","year":"2014"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC2617"},{"key":"e_1_3_2_1_20_1","volume-title":"RFC6749 -- The OAuth 2.0 Authorization Framework. IETF","author":"Hardt D.","year":"2012"},{"key":"e_1_3_2_1_21_1","volume-title":"How I hacked Github again","author":"Homakov E.","year":"2014"},{"key":"e_1_3_2_1_22_1","volume-title":"OAuth 2.0 Mix-Up Mitigation -- draft-ietf-oauth-mix-up-mitigation-01. IETF","author":"Jones M.","year":"2016"},{"key":"e_1_3_2_1_23_1","first-page":"464","volume":"2007","author":"Kerschbaum F.","year":"2007","journal-title":"Simple Cross-Site Attack Prevention. In SecureComm"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420993"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-13257-0_34"},{"key":"e_1_3_2_1_26_1","volume-title":"McGloin, and P. Hunt. RFC6819 -- OAuth 2.0 Threat Model and Security Considerations. IETF","author":"T.","year":"2013"},{"key":"e_1_3_2_1_27_1","volume-title":"On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect. CoRR, abs\/1508.04324v2","author":"Mladenov V.","year":"2016"},{"key":"e_1_3_2_1_28_1","unstructured":"Open Web Application Security Project (OWASP). Session fixation. https:\/\/www.owasp.org\/index.php\/Session_Fixation.  Open Web Application Security Project (OWASP). Session fixation. https:\/\/www.owasp.org\/index.php\/Session_Fixation."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSNT.2011.141"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7662"},{"key":"e_1_3_2_1_31_1","volume-title":"OpenID Connect Core 1.0 incorporating errata set 1","author":"Sakimura N.","year":"2014"},{"key":"e_1_3_2_1_32_1","first-page":"2014","article-title":"Bypassing HTTP Strict Transport Security","author":"Selvi J.","year":"2014","journal-title":"Blackhat (Europe)"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/MobServ.2014.15"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_13"},{"key":"e_1_3_2_1_35_1","volume-title":"Facebook Connect Market Share and Web Usage Statistics. Last visited","year":"2015"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382238"},{"key":"e_1_3_2_1_37_1","first-page":"399","volume":"2013","author":"Wang R.","year":"2013","journal-title":"In USENIX Security"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897874"},{"key":"e_1_3_2_1_39_1","first-page":"707","volume-title":"USENIX Security 2015","author":"Zheng X.","year":"2015"}],"event":{"name":"CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security","location":"Vienna Austria","acronym":"CCS'16","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2976749.2978385","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2976749.2978385","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:40:14Z","timestamp":1750218014000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2976749.2978385"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,10,24]]},"references-count":38,"alternative-id":["10.1145\/2976749.2978385","10.1145\/2976749"],"URL":"https:\/\/doi.org\/10.1145\/2976749.2978385","relation":{},"subject":[],"published":{"date-parts":[[2016,10,24]]},"assertion":[{"value":"2016-10-24","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}