在通过 HTTP/HTTPS 的 OAuth 2.0 协议验证的智能环境中进行漏洞检测

Q1 Mathematics

International Journal of Computer Network and Information Security Pub Date : 2024-04-08 DOI:10.5815/ijcnis.2024.02.01

Gilson da Silva Francisco, Anderson Aparecido Alves da Silva, Marcelo Teixeira de Azevedo, E. T. Ueda, A. Guelfi, Jose Jesus Perez Alcazar

{"title":"在通过 HTTP/HTTPS 的 OAuth 2.0 协议验证的智能环境中进行漏洞检测","authors":"Gilson da Silva Francisco, Anderson Aparecido Alves da Silva, Marcelo Teixeira de Azevedo, E. T. Ueda, A. Guelfi, Jose Jesus Perez Alcazar","doi":"10.5815/ijcnis.2024.02.01","DOIUrl":null,"url":null,"abstract":"OAuth 2.0 provides an open secure protocol for authorizing users across the web. However, many modalities of this standard allow these protections to be implemented optionally. Thus, its use does not guarantee security by itself and some of the deployment options in the OAuth 2.0 specification can lead to incorrect settings. FIWARE is an open platform for developing Internet applications of the future. It is the result of the international entity Future Internet Public-Private Partnership. [1,2] FIWARE was designed to provide a broad set of API to stimulate the development of new businesses in the context of the European Union. This platform can be understood as a modular structure to reach a broad spectrum of applications such as IoT, big data, smart device management, security, open data, and virtualization, among others. Regarding security, the exchange of messages between its components is done through the OAuth 2.0 protocol. The objective of the present work is to create a system that allows the detection and analysis of vulnerabilities of OAuth 2.0, executed on HTTP/HTTPS in an on-premise development environment focused on the management of IoT devices and to help developers to implement them ensuring security for these environments. Through the system proposed by this paper, it was possible to find vulnerabilities in FIWARE components in HTTP/HTTPS environments. With this evidence, mitigations were proposed based on the mandatory recommendations by the IETF.","PeriodicalId":36488,"journal":{"name":"International Journal of Computer Network and Information Security","volume":"167 6","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Vulnerability Detection in Intelligent Environments Authenticated by the OAuth 2.0 Protocol over HTTP/HTTPS\",\"authors\":\"Gilson da Silva Francisco, Anderson Aparecido Alves da Silva, Marcelo Teixeira de Azevedo, E. T. Ueda, A. Guelfi, Jose Jesus Perez Alcazar\",\"doi\":\"10.5815/ijcnis.2024.02.01\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"OAuth 2.0 provides an open secure protocol for authorizing users across the web. However, many modalities of this standard allow these protections to be implemented optionally. Thus, its use does not guarantee security by itself and some of the deployment options in the OAuth 2.0 specification can lead to incorrect settings. FIWARE is an open platform for developing Internet applications of the future. It is the result of the international entity Future Internet Public-Private Partnership. [1,2] FIWARE was designed to provide a broad set of API to stimulate the development of new businesses in the context of the European Union. This platform can be understood as a modular structure to reach a broad spectrum of applications such as IoT, big data, smart device management, security, open data, and virtualization, among others. Regarding security, the exchange of messages between its components is done through the OAuth 2.0 protocol. The objective of the present work is to create a system that allows the detection and analysis of vulnerabilities of OAuth 2.0, executed on HTTP/HTTPS in an on-premise development environment focused on the management of IoT devices and to help developers to implement them ensuring security for these environments. Through the system proposed by this paper, it was possible to find vulnerabilities in FIWARE components in HTTP/HTTPS environments. With this evidence, mitigations were proposed based on the mandatory recommendations by the IETF.\",\"PeriodicalId\":36488,\"journal\":{\"name\":\"International Journal of Computer Network and Information Security\",\"volume\":\"167 6\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-04-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Computer Network and Information Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.5815/ijcnis.2024.02.01\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"Mathematics\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Computer Network and Information Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5815/ijcnis.2024.02.01","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"Mathematics","Score":null,"Total":0}

引用次数: 0

摘要

OAuth 2.0 为在网络上授权用户提供了一个开放的安全协议。不过，该标准的许多模式允许选择性地实施这些保护措施。因此，使用 OAuth 2.0 本身并不能保证安全性，而且 OAuth 2.0 规范中的某些部署选项可能会导致不正确的设置。FIWARE 是开发未来互联网应用的开放平台。它是国际实体未来互联网公私合作伙伴关系的成果。[1,2]FIWARE旨在提供一套广泛的应用程序接口，以促进欧盟范围内新业务的发展。该平台可以理解为一种模块化结构，可广泛应用于物联网、大数据、智能设备管理、安全、开放数据和虚拟化等领域。在安全方面，其组件之间的信息交换是通过 OAuth 2.0 协议完成的。本作品的目的是创建一个系统，允许检测和分析 OAuth 2.0 的漏洞，该系统在以物联网设备管理为重点的内部开发环境中通过 HTTP/HTTPS 执行，并帮助开发人员实施这些系统，确保这些环境的安全性。通过本文提出的系统，可以发现 HTTP/HTTPS 环境中 FIWARE 组件的漏洞。在此基础上，根据 IETF 的强制性建议提出了缓解措施。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Vulnerability Detection in Intelligent Environments Authenticated by the OAuth 2.0 Protocol over HTTP/HTTPS

OAuth 2.0 provides an open secure protocol for authorizing users across the web. However, many modalities of this standard allow these protections to be implemented optionally. Thus, its use does not guarantee security by itself and some of the deployment options in the OAuth 2.0 specification can lead to incorrect settings. FIWARE is an open platform for developing Internet applications of the future. It is the result of the international entity Future Internet Public-Private Partnership. [1,2] FIWARE was designed to provide a broad set of API to stimulate the development of new businesses in the context of the European Union. This platform can be understood as a modular structure to reach a broad spectrum of applications such as IoT, big data, smart device management, security, open data, and virtualization, among others. Regarding security, the exchange of messages between its components is done through the OAuth 2.0 protocol. The objective of the present work is to create a system that allows the detection and analysis of vulnerabilities of OAuth 2.0, executed on HTTP/HTTPS in an on-premise development environment focused on the management of IoT devices and to help developers to implement them ensuring security for these environments. Through the system proposed by this paper, it was possible to find vulnerabilities in FIWARE components in HTTP/HTTPS environments. With this evidence, mitigations were proposed based on the mandatory recommendations by the IETF.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Journal of Computer Network and Information Security Social Sciences-Safety Research

CiteScore

4.10

自引率

0.00%

发文量