Unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Embodiments relate to computer security, and in particular, to dynamic analysis security testing of multi-party web applications via attack patterns.
An increasing number of commercial online applications leverage trusted third parties (TTPs) in conjunction with web-based security protocols to meet their security needs. For instance, many online applications rely on authentication assertions issued by identity providers to authenticate users using a variety of web-based single sign-on (SSO) protocols.
Similarly, on-line shopping applications use online payment services and Cashier-as-a-Service (CaaS) protocols to obtain proof-of-payment before delivering the purchased items. For example, the use of PAYPAL PAYMENT has led to the widespread integration of CaaS APIs by websites implementing online shopping.
This scenario has been further combined with SSO. For instance, the “Log in with Paypal” not only allows users to log in to the Online Shopping websites using their PAYPAL credentials, but it also provides the ability to directly checkout without the need to login to PAYPAL again. This broad class of protocols is herein referred to as security-critical Multi-Party Web Applications (MPWAs).
Three entities may take part in these protocols: the user U (through a web browser B), the web application (playing the role of Service Provider, SP), and a TTP. However, the design and implementation of the protocols used by MPWAs may be subject to errors leading to security vulnerabilities.
For instance, the incorrect handling of the OAuth 2.0 access token by a vulnerable SP can be exploited by an attacker hosting another SP. If the User (the victim) logs into the attacker's SP, the attacker obtains an access token from the victim and can replay it in the vulnerable SP to login as the victim.