WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring


Stefano Calzavara and Riccardo Focardi, Università Ca' Foscari Venezia; Matteo Maffei and Clara Schneidewind, TU Wien; Marco Squarcina and Mauro Tempesta, Università Ca' Foscari Venezia


We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {217616,
author = {Stefano Calzavara and Riccardo Focardi and Matteo Maffei and Clara Schneidewind and Marco Squarcina and Mauro Tempesta},
title = {{WPSE}: Fortifying Web Protocols via {Browser-Side} Security Monitoring},
booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1493--1510},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/calzavara},
publisher = {USENIX Association},
month = aug

Presentation Video 

Presentation Audio