Thanks to the wide range of features offered by the World Wide Web (WWW), many web applications have been published and developed through different libraries and programming languages. Adapting to new changes, the Web quickly evolved into a complex ecosystem, introducing many security problems to its users. To solve these problems, instead of re-designing the Web, the vendors added the security patches (protocols, mechanisms)to the Web platform to provide a more convenient and more secure environment for web users. However, not only did these patches not completely resolve the security problems, but their implementations also introduced other security risks unbeknownst to website operators and users. In this thesis, I propose a novel research on two different security patches to understand and analyze their deployment in real-world scenarios and discover the unseen, neglected factors and the elements involved in exploiting their use: one security protocol, OAuth, and one security mechanism, CORS. As this thesis is based on offensive approaches, I develop automated methodologies, including novel strategies for analyzing and measuring the security qualities of the OAuth protocol and CORS mechanism in real-world scenarios.

Analysis of Oauth and CORS vulnerabilities in the wild / Arshad, Elham. - (2022 Dec 06), pp. 1-137. [10.15168/11572_361123]

Analysis of Oauth and CORS vulnerabilities in the wild

Arshad, Elham
2022-12-06

Abstract

Thanks to the wide range of features offered by the World Wide Web (WWW), many web applications have been published and developed through different libraries and programming languages. Adapting to new changes, the Web quickly evolved into a complex ecosystem, introducing many security problems to its users. To solve these problems, instead of re-designing the Web, the vendors added the security patches (protocols, mechanisms)to the Web platform to provide a more convenient and more secure environment for web users. However, not only did these patches not completely resolve the security problems, but their implementations also introduced other security risks unbeknownst to website operators and users. In this thesis, I propose a novel research on two different security patches to understand and analyze their deployment in real-world scenarios and discover the unseen, neglected factors and the elements involved in exploiting their use: one security protocol, OAuth, and one security mechanism, CORS. As this thesis is based on offensive approaches, I develop automated methodologies, including novel strategies for analyzing and measuring the security qualities of the OAuth protocol and CORS mechanism in real-world scenarios.
6-dic-2022
XXXIV
2021-2022
Ingegneria e Scienza dell'Informaz (cess.4/11/12)
Information and Communication Technology
Crispo, Bruno
no
Inglese, Medio (1100-1500)
File in questo prodotto:
File Dimensione Formato  
phd_unitn_Arshad_Elham.pdf

accesso aperto

Tipologia: Tesi di dottorato (Doctoral Thesis)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.19 MB
Formato Adobe PDF
1.19 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/361123
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact