{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T23:20:49Z","timestamp":1777591249231,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":28,"publisher":"ACM","license":[{"start":{"date-parts":[[2019,11,11]],"date-time":"2019-11-11T00:00:00Z","timestamp":1573430400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2019,11,11]]},"DOI":"10.1145\/3338500.3360331","type":"proceedings-article","created":{"date-parts":[[2019,11,7]],"date-time":"2019-11-07T19:43:22Z","timestamp":1573155802000},"page":"35-44","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":23,"title":["OAuthGuard"],"prefix":"10.1145","author":[{"given":"Wanpeng","family":"Li","sequence":"first","affiliation":[{"name":"Manchester Metropolitan University, Manchester, United Kingdom"}]},{"given":"Chris J.","family":"Mitchell","sequence":"additional","affiliation":[{"name":"Royal Holloway, University of London, Surrey, United Kingdom"}]},{"given":"Thomas","family":"Chen","sequence":"additional","affiliation":[{"name":"City, University of London, London, United Kingdom"}]}],"member":"320","published-online":{"date-parts":[[2019,11,11]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.5555\/2699784.2699789"},{"key":"e_1_3_2_1_2_1","unstructured":"Chetan Bansal Karthikeyan Bhargavan and S. Maffeis. 2011. WebSpi and web application models. (2011). http:\/\/prosecco.gforge.inria.fr\/webspi\/CSF\/.  Chetan Bansal Karthikeyan Bhargavan and S. Maffeis. 2011. WebSpi and web application models. (2011). http:\/\/prosecco.gforge.inria.fr\/webspi\/CSF\/."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"key":"e_1_3_2_1_4_1","unstructured":"Bruno Blanchet and Ben Smyth. [n.d.]. ProVerif: Cryptographic protocol verifier in the formal model.( [n. d.]). http:\/\/prosecco.gforge.inria.fr\/personal\/bblanche\/proverif\/.  Bruno Blanchet and Ben Smyth. [n.d.]. ProVerif: Cryptographic protocol verifier in the formal model.( [n. d.]). http:\/\/prosecco.gforge.inria.fr\/personal\/bblanche\/proverif\/."},{"key":"e_1_3_2_1_5_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Calzavara Stefano","year":"2018","unstructured":"Stefano Calzavara , Riccardo Focardi , Matteo Maffei , Clara Schneidewind , Marco Squarcina , and Mauro Tempesta . 2018 . WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring . In 27th USENIX Security Symposium (USENIX Security 18) . 1493--1510. Stefano Calzavara, Riccardo Focardi, Matteo Maffei, Clara Schneidewind, Marco Squarcina, and Mauro Tempesta. 2018. WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring. In 27th USENIX Security Symposium (USENIX Security 18). 1493--1510."},{"key":"e_1_3_2_1_6_1","first-page":"526","article-title":"Universally Composable Security Analysis of OAuth v2.0","volume":"2011","author":"Chari Suresh","year":"2011","unstructured":"Suresh Chari , Charanjit S Jutla , and Arnab Roy . 2011 . Universally Composable Security Analysis of OAuth v2.0 . IACR Cryptology ePrint Archive , Vol. 2011 (2011), 526 . Suresh Chari, Charanjit S Jutla, and Arnab Roy. 2011. Universally Composable Security Analysis of OAuth v2.0. IACR Cryptology ePrint Archive, Vol. 2011 (2011), 526.","journal-title":"IACR Cryptology ePrint Archive"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660323"},{"key":"e_1_3_2_1_8_1","volume-title":"8th International Conference, CAV '96, New Brunswick, NJ, USA, July 31 -- August 3, 1996, Proceedings (Lecture Notes in Computer Science),, Rajeev Alur and Thomas A. Henzinger (Eds.)","volume":"1102","author":"Dill David L","year":"1996","unstructured":"David L Dill . 1996 . The Murphi Verification System. In Computer Aided Verification , 8th International Conference, CAV '96, New Brunswick, NJ, USA, July 31 -- August 3, 1996, Proceedings (Lecture Notes in Computer Science),, Rajeev Alur and Thomas A. Henzinger (Eds.) , Vol. 1102 . Springer, 390--393. David L Dill. 1996. The Murphi Verification System. In Computer Aided Verification, 8th International Conference, CAV '96, New Brunswick, NJ, USA, July 31 -- August 3, 1996, Proceedings (Lecture Notes in Computer Science),, Rajeev Alur and Thomas A. Henzinger (Eds.), Vol. 1102. Springer, 390--393."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978385"},{"key":"e_1_3_2_1_10_1","volume-title":"The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. arXiv preprint arXiv:1704.08539","author":"Fett Daniel","year":"2017","unstructured":"Daniel Fett , Ralf K\u00fcsters , and Guido Schmitz . 2017. The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. arXiv preprint arXiv:1704.08539 ( 2017 ). Daniel Fett, Ralf K\u00fcsters, and Guido Schmitz. 2017. The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. arXiv preprint arXiv:1704.08539 (2017)."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"crossref","unstructured":"Roy Fielding Jim Gettys Jeffrey Mogul Henrik Frystyk Larry Masinter Paul Leach and Tim Berners-Lee. 1999. RFC 2616: Hypertext transfer protocol--HTTP\/1.1. https:\/\/tools.ietf.org\/html\/rfc2616.  Roy Fielding Jim Gettys Jeffrey Mogul Henrik Frystyk Larry Masinter Paul Leach and Tim Berners-Lee. 1999. RFC 2616: Hypertext transfer protocol--HTTP\/1.1. https:\/\/tools.ietf.org\/html\/rfc2616.","DOI":"10.17487\/rfc2616"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"crossref","unstructured":"Dick Hardt (editor). 2012. RFC 6749: The OAuth 2.0 Authorization Framework. (October 2012). http:\/\/tools.ietf.org\/html\/rfc6749.  Dick Hardt (editor). 2012. RFC 6749: The OAuth 2.0 Authorization Framework. (October 2012). http:\/\/tools.ietf.org\/html\/rfc6749.","DOI":"10.17487\/rfc6749"},{"key":"e_1_3_2_1_13_1","unstructured":"2010. Alloy 4.1. (2010). http:\/\/alloy.mit.edu\/community\/.  2010. Alloy 4.1. (2010). http:\/\/alloy.mit.edu\/community\/."},{"key":"e_1_3_2_1_14_1","volume-title":"ISC 2014, Hong Kong, China, October 12-14, 2014. Proceedings (Lecture Notes in Computer Science),, Sherman S. M. Chow, Jan Camenisch, Lucas Chi Kwong Hui, and Siu-Ming Yiu (Eds.)","volume":"8783","author":"Li Wanpeng","unstructured":"Wanpeng Li and Chris J. Mitchell . 2014. Security Issues in OAuth 2.0 SSO Implementations. In Information Security -- 17th International Conference , ISC 2014, Hong Kong, China, October 12-14, 2014. Proceedings (Lecture Notes in Computer Science),, Sherman S. M. Chow, Jan Camenisch, Lucas Chi Kwong Hui, and Siu-Ming Yiu (Eds.) , Vol. 8783 . Springer, 529--541. https:\/\/doi.org\/10.1007\/978-3-319-13257-0_34 10.1007\/978-3-319-13257-0_34 Wanpeng Li and Chris J. Mitchell. 2014. Security Issues in OAuth 2.0 SSO Implementations. In Information Security -- 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014. Proceedings (Lecture Notes in Computer Science),, Sherman S. M. Chow, Jan Camenisch, Lucas Chi Kwong Hui, and Siu-Ming Yiu (Eds.), Vol. 8783. Springer, 529--541. https:\/\/doi.org\/10.1007\/978-3-319-13257-0_34"},{"key":"e_1_3_2_1_15_1","volume-title":"DIMVA 2016, San Sebasti\u00e1 n, Spain, July 7--8, 2016, Proceedings (Lecture Notes in Computer Science),, Juan Caballero, Urko Zurutuza, and Ricardo J. Rodr'i guez (Eds.)","volume":"9721","author":"Li Wanpeng","unstructured":"Wanpeng Li and Chris J. Mitchell . 2016a. Analysing the Security of Google's Implementation of OpenID Connect. In Detection of Intrusions and Malware, and Vulnerability Assessment -- 13th International Conference , DIMVA 2016, San Sebasti\u00e1 n, Spain, July 7--8, 2016, Proceedings (Lecture Notes in Computer Science),, Juan Caballero, Urko Zurutuza, and Ricardo J. Rodr'i guez (Eds.) , Vol. 9721 . Springer, 357--376. https:\/\/doi.org\/10.1007\/978-3-319-40667-1_18 10.1007\/978-3-319-40667-1_18 Wanpeng Li and Chris J. Mitchell. 2016a. Analysing the Security of Google's Implementation of OpenID Connect. In Detection of Intrusions and Malware, and Vulnerability Assessment -- 13th International Conference, DIMVA 2016, San Sebasti\u00e1 n, Spain, July 7--8, 2016, Proceedings (Lecture Notes in Computer Science),, Juan Caballero, Urko Zurutuza, and Ricardo J. Rodr'i guez (Eds.), Vol. 9721. Springer, 357--376. https:\/\/doi.org\/10.1007\/978-3-319-40667-1_18"},{"key":"e_1_3_2_1_16_1","volume-title":"Mitchell","author":"Li Wanpeng","year":"2016","unstructured":"Wanpeng Li and Chris J . Mitchell . 2016 b. Does the IdP Mix-Up attack really work? (2016). https:\/\/infsec.uni-trier.de\/download\/oauth-workshop-2016\/OSW2016_paper_1.pdf. Wanpeng Li and Chris J. Mitchell. 2016b. Does the IdP Mix-Up attack really work? (2016). https:\/\/infsec.uni-trier.de\/download\/oauth-workshop-2016\/OSW2016_paper_1.pdf."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2018.8514180"},{"key":"e_1_3_2_1_18_1","volume-title":"Security Protocols XXVI - 26th International Workshop","author":"Li Wanpeng","year":"2018","unstructured":"Wanpeng Li , Chris J. Mitchell , and Thomas Chen . 2018b. Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations . In Security Protocols XXVI - 26th International Workshop , Cambridge, UK , March 19--21, 2018 , Revised Selected Papers (Lecture Notes in Computer Science), Vashek Maty\u00e1 s, Petr Svenda, Frank Stajano, Bruce Christianson, and Jonathan Anderson (Eds.), Vol. 11286 . Springer , 24--41. https:\/\/doi.org\/10.1007\/978-3-030-03251-7_3 10.1007\/978-3-030-03251-7_3 Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2018b. Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations. In Security Protocols XXVI - 26th International Workshop, Cambridge, UK, March 19--21, 2018, Revised Selected Papers (Lecture Notes in Computer Science), Vashek Maty\u00e1 s, Petr Svenda, Frank Stajano, Bruce Christianson, and Jonathan Anderson (Eds.), Vol. 11286. Springer, 24--41. https:\/\/doi.org\/10.1007\/978-3-030-03251-7_3"},{"key":"e_1_3_2_1_19_1","unstructured":"Torsten Lodderstedt Mark McGloin and Phil Hunt. 2013. RFC 6819: OAuth 2.0 Threat Model and Security Considerations. (2013). http:\/\/tools.ietf.org\/html\/rfc6819.  Torsten Lodderstedt Mark McGloin and Phil Hunt. 2013. RFC 6819: OAuth 2.0 Threat Model and Security Considerations. (2013). http:\/\/tools.ietf.org\/html\/rfc6819."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSNT.2011.141"},{"key":"e_1_3_2_1_21_1","unstructured":"Nat Sakimura John Bradley Michael Jones Breno de Medeiros and Mortimore Chuck. 2014. OpenID Connect Core 1.0. (2014). http:\/\/openid.net\/specs\/openid-connect-core-1_0.html.  Nat Sakimura John Bradley Michael Jones Breno de Medeiros and Mortimore Chuck. 2014. OpenID Connect Core 1.0. (2014). http:\/\/openid.net\/specs\/openid-connect-core-1_0.html."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2557547.2557588"},{"key":"e_1_3_2_1_23_1","unstructured":"Quinn Slack and Roy Frostig. 2011. Murphi Analysis of OAuth 2.0 Implicit Grant Flow. (2011). http:\/\/www.stanford.edu\/class\/cs259\/WWW11\/.  Quinn Slack and Roy Frostig. 2011. Murphi Analysis of OAuth 2.0 Implicit Grant Flow. (2011). http:\/\/www.stanford.edu\/class\/cs259\/WWW11\/."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382238"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.30"},{"key":"e_1_3_2_1_26_1","volume-title":"ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings (Lecture Notes in Computer Science), Dieter Gollmann, Atsuko Miyaji, and Hiroaki Kikuchi (Eds.)","volume":"10355","author":"Yang Ronghai","year":"2017","unstructured":"Ronghai Yang , Wing Cheong Lau , and Shangcheng Shi . 2017 . Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols. In Applied Cryptography and Network Security - 15th International Conference , ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings (Lecture Notes in Computer Science), Dieter Gollmann, Atsuko Miyaji, and Hiroaki Kikuchi (Eds.) , Vol. 10355 . Springer, 313--335. https:\/\/doi.org\/10.1007\/978-3-319-61204-1_16 10.1007\/978-3-319-61204-1_16 Ronghai Yang, Wing Cheong Lau, and Shangcheng Shi. 2017. Breaking and Fixing Mobile App Authentication with OAuth2.0-based Protocols. In Applied Cryptography and Network Security - 15th International Conference, ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings (Lecture Notes in Computer Science), Dieter Gollmann, Atsuko Miyaji, and Hiroaki Kikuchi (Eds.), Vol. 10355. Springer, 313--335. https:\/\/doi.org\/10.1007\/978-3-319-61204-1_16"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897874"},{"key":"e_1_3_2_1_28_1","volume-title":"Zhou and David Evans. 2014 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In Proceedings of the 23rd USENIX Security Symposium","author":"Yuchen","year":"2014","unstructured":"Yuchen Zhou and David Evans. 2014 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In Proceedings of the 23rd USENIX Security Symposium , San Diego, CA, USA , August 20-22, 2014 ,, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 495--510. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/zhou Yuchen Zhou and David Evans. 2014 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014,, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 495--510. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/zhou"}],"event":{"name":"CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security","location":"London United Kingdom","acronym":"CCS '19","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3338500.3360331","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3338500.3360331","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:12:49Z","timestamp":1750201969000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3338500.3360331"}},"subtitle":["Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect"],"short-title":[],"issued":{"date-parts":[[2019,11,11]]},"references-count":28,"alternative-id":["10.1145\/3338500.3360331","10.1145\/3338500"],"URL":"https:\/\/doi.org\/10.1145\/3338500.3360331","relation":{},"subject":[],"published":{"date-parts":[[2019,11,11]]},"assertion":[{"value":"2019-11-11","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}