EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Securing public APIs using OAuth and OAuthLib
2012 (English)Independent thesis Basic level (professional degree), 10 credits / 15 HE creditsStudent thesis
Abstract [en]

Web applications live in a chaotic mess of conflicting standards and intentions. In an effort to introduce order a protocol targeting user authorisation was developed and named Open authorisation (OAuth). Successful implementation of the protocol is paramount to the security of OAuth 1 and OAuth 2 providers. The development of a provider can be facilitated by a dedicated OAuth library, which in the field of information security is generally accepted as best practice. OAuthLib aims to fill the Python OAuth library void and has a strong focus on usability and security. My goal for this study was to advance the progress of OAuthLib by contributing a foundation for OAuthLib features, based on common security related mistakes made by OAuth providers. Errors were identified in a two-step process. Firstly an estimation of probable errors was created through a cross section analysis of the CWE/SANS Top 25 Most Dangerous Software Errors list and the two OAuth protocols. Sixteen of the twenty five outlined errors were found to be applicable to OAuth providers. Secondly the estimation was validated and extended upon through interviews with providers and security experts. Three additional types of vulnerabilities were identified in these interviews including the surprisingly extensive but not yet widely recognised timing attack vulnerability. Mitigation techniques were explored for all nineteen identified errors. As a result, nine errors are now automatically mitigated through new features in the OAuthLib library, the majority through strict whitelisting of all input parameters and HTTPS enforcement. Furthermore, recommendations for how to mitigate the remaining 10 errors were included in the OAuthLib documentation. Unfortunately, due to time restrictions, only OAuth 1 features could be developed and OAuth 2 remains future work.
Place, publisher, year, edition, pages
2012.
Keywords [en]
Technology
Keywords [sv]
Teknik, oauth, oauthlib, security, python, owasp, cwe
Identifiers
URN: urn:nbn:se:ltu:diva-52098Local ID: 93e405ff-edde-4b60-bc80-8d237553807aOAI: oai:DiVA.org:ltu-52098DiVA, id: diva2:1025464
Subject / course
Student thesis, at least 15 credits
Educational program
Computer Engineering, bachelor's level
Supervisors
Examiners
Note
Validerat; 20120627 (anonymous)Available from: 2016-10-04 Created: 2016-10-04Bibliographically approved

Open Access in DiVA

fulltext(657 kB)807 downloads
File information
File name FULLTEXT02.pdfFile size 657 kBChecksum SHA-512
b09a660bd8ce517e8a50bcf8d1b9a18351d6f616ce141c21288f9fbf8ec2672222964688ac51a666cfd1b43a09105565b08403248844b1f521e714cd61985517
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Lundgren, Ib

Search outside of DiVA

GoogleGoogle Scholar
Total: 809 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 4005 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.46.0
|
Researcher: Register
|
Student: Register
|
Contact
|
WCAG