1 |
Automatiserade säkerhetstester för identity providerLundqvist, Sanna January 2020 (has links)
En identity provider är en del av ett system, eller tjänst, som lagrar och hanterar information om användares identiteter och autentiserar användare åt andra applikationer. Tjänsten har möjlighet att logga in användare utan att inloggningsuppgifter behöver skickas mellan de olika parterna över Internet. Detta möjliggörs bland annat tack vare användandet av ramverket IdentityServer4 och protokollen Web Services Federation och OAuth 2.0. Arbetet fokuserar på vilka olika automatiserade säkerhetstester som en identity provider (IdP) bör genomföra för att inte av misstag introducera säkerhetsrisker under uppdateringar hos tjänsten. Detta genomförs genom att först samla de attacker som tjänsten riskerar att bli utsatt för. Exempelvis finns risken att bli utsatt för Server-Side Request Forgery på grund av hur protokollen är utformade. Därefter införs säkerhetstester hos en IdP som hanterar exempel från de redovisade attackerna. Detta görs genom färdiga verktyg och genom manuella säkerhetstester av IdPn. Resultatet av detta är att en del befintliga risker kunde upptäckas genom de färdiga verktygen. Även genom de manuella testerna kunde risker hittas. Samtliga risker åtgärdades utifrån resultaten. Dock är det mycket tids- och resurskrävande att hindra en stor del av samtliga säkerhetsrisker med hjälp av automatiserade säkerhetstester.
|
2 |
OAuth 2.0 Authentication Plugin for SonarQubeLavesson, Alexander, Luostarinen, Christina January 2018 (has links)
Many web services today give users the opportunity to sign in using an account belonging to a different service. Letting users authenticate themselves using another service eliminates the need of a user having to create a new identity for each service they use. Redpill Linpro uses the open source platform SonarQube for code quality inspection. Since developers in the company are registered users of another open source platform named OpenShift, they would like to authenticate themselves to SonarQube using their OpenShift identity. Our task was to create a plugin that offers users the functionality to authenticate themselves to SonarQube using OpenShift as their identity provider by applying the authentication framework OAuth. Theproject resulted in a plugin of high code quality according to SonarQube’s assessment. RedpillLinpro will use the plugin to easily access SonarQube’s functionality when using theapplication in their developer platform.
|
3 |
Characterizing the Third-Party Authentication Landscape : A Longitudinal Study of how Identity Providers are Used in Modern Websites / Longitudinella mätningar av användandet av tredjepartsautentisering på moderna hemsidorJosefsson Ågren, Fredrik, Järpehult, Oscar January 2021 (has links)
Third-party authentication services are becoming more common since it eases the login procedure by not forcing users to create a new login for every website thatuses authentication. Even though it simplifies the login procedure the users still have to be conscious about what data is being shared between the identity provider (IDP) and the relying party (RP). This thesis presents a tool for collecting data about third-party authentication that outperforms previously made tools with regards to accuracy, precision and recall. The developed tool was used to collect information about third-party authentication on a set of websites. The collected data revealed that third-party login services offered by Facebook and Google are most common and that Twitters login service is significantly less common. Twitter's login service shares the most data about the users to the RPs and often gives the RPs permissions to perform write actions on the users Twitter account. In addition to our large-scale automatic data collection, three manual data collections were performed and compared to previously made manual data collections from a nine-year period. The longitudinal comparison showed that over the nine-year period the login services offered by Facebook and Google have been dominant.It is clear that less information about the users are being shared today compared to earlier years for Apple, Facebook and Google. The Twitter login service is the only IDP that have not changed their permission policies. This could be the reason why the usage of the Twitter login service on websites have decreased. The results presented in this thesis helps provide a better understanding of what personal information is exchanged by IDPs which can guide users to make well educated decisions on the web.
|
Page generated in 0.1037 seconds