Change search
ReferencesLink to record
Permanent link

Direct link
Securing public APIs using OAuth and OAuthLib
2012 (English)Independent thesis Basic level (professional degree), 10 credits / 15 HE creditsStudent thesis
Abstract [en]

Web applications live in a chaotic mess of conflicting standards and intentions. In an effort to introduce order a protocol targeting user authorisation was developed and named Open authorisation (OAuth). Successful implementation of the protocol is paramount to the security of OAuth 1 and OAuth 2 providers. The development of a provider can be facilitated by a dedicated OAuth library, which in the field of information security is generally accepted as best practice. OAuthLib aims to fill the Python OAuth library void and has a strong focus on usability and security. My goal for this study was to advance the progress of OAuthLib by contributing a foundation for OAuthLib features, based on common security related mistakes made by OAuth providers. Errors were identified in a two-step process. Firstly an estimation of probable errors was created through a cross section analysis of the CWE/SANS Top 25 Most Dangerous Software Errors list and the two OAuth protocols. Sixteen of the twenty five outlined errors were found to be applicable to OAuth providers. Secondly the estimation was validated and extended upon through interviews with providers and security experts. Three additional types of vulnerabilities were identified in these interviews including the surprisingly extensive but not yet widely recognised timing attack vulnerability. Mitigation techniques were explored for all nineteen identified errors. As a result, nine errors are now automatically mitigated through new features in the OAuthLib library, the majority through strict whitelisting of all input parameters and HTTPS enforcement. Furthermore, recommendations for how to mitigate the remaining 10 errors were included in the OAuthLib documentation. Unfortunately, due to time restrictions, only OAuth 1 features could be developed and OAuth 2 remains future work.

Place, publisher, year, edition, pages
Keyword [en]
Keyword [sv]
Teknik, oauth, oauthlib, security, python, owasp, cwe
URN: urn:nbn:se:ltu:diva-52098Local ID: 93e405ff-edde-4b60-bc80-8d237553807aOAI: diva2:1025464
Subject / course
Student thesis, at least 15 credits
Educational program
Computer Engineering, bachelor's level
Validerat; 20120627 (anonymous)Available from: 2016-10-04 Created: 2016-10-04Bibliographically approved

Open Access in DiVA

fulltext(657 kB)0 downloads
File information
File name FULLTEXT02.pdfFile size 657 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Lundgren, Ib

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

ReferencesLink to record
Permanent link

Direct link