Security Analysis of Attack Surfaces on the Grant Negotiation and Authorization Protocol

Abstract

Accessibility is a booming practice, with applications incorporating easy authentication and authorization increasing. OAuth 2.0 is a framework created to easily integrate resourceful platforms with a client application, giving users the opportunity to access their resources in different means while only storing them in one place. Due to resources often being confidential or private the security of such frameworks is imperative. GNAP is a new protocol inspired by OAuth 2.0, created with the intention to uphold security standards of modern application usage. This thesis tests GNAP and its robustness against legacy attacks targeting OAuth 2.0. The tests consist of vulnerable redirect URI attacks, access code hijacking, CSRF, and AS mix-up attacks. Results show that due to GNAP’s cryptographic-based design, attacks that utilize data manipulation or additional input are not possible in the environment created for the thesis. However, given the less secured client instance in the protocol, AS mix-up attacks are possible in a niche environment given the assumptions made in the thesis.