SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Slides:



Advertisements
Similar presentations
The How of OAuth OAuth Hackathon – Six Apart
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
FI-WARE Testbed Access Control temporary solution.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Secure SharePoint mobile connectivity
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Creating a Single Sign On Account. To create a Single Sign On ID please visit and select the option to create a new account.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
Module 11: Securing a Microsoft ASP.NET Web Application.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Securing Angular Apps Brian Noyes
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization Rui Wang 1 *, Yuchen Zhou 2 * †, (*Lead authors, † Speaker)
Secure Mobile Development with NetIQ Access Manager
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.
TEMPLATE DESIGN © Automatic Classification of Parameters and Cookies Ali Reza Farid Amin 1, Gregor v. Bochmann 1, Guy-Vincent.
11 | Managing User Info Jeremy Foster Michael Palermo
Applicant Profile® G.A.T.E.® Test Administration Training UPS MAPP.
Architecture Review 10/11/2004
Ask the Experts – Building Login-Based Sites in AEM
Web Application Vulnerabilities
Training for developers of X-Road interfaces
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
NFD Tunnel Authentication
API Security Auditing Be Aware,Be Safe
Securing the Network Perimeter with ISA 2004
Radius, LDAP, Radius used in Authenticating Users
Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University.
Module 8: Securing Network Traffic by Using IPSec and Certificates
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Addressing the Beast: Single Sign-On II
Information and Network Security
Cross-Site Request Forgeries: Exploitation and Prevention
Using SSL – Secure Socket Layer
Creating a new Central Data Exchange (CDX) Account (to access NetDMR)
BY: SHIVI AGRAWAL ( ) CSE-(6)C
Content current as of: 20 November 2017
Analyzing WebView Vulnerabilities in Android Applications
NAAS 2.0 Features and Enhancements
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
CSC 495/583 Topics of Software Security Intro to Web Security
By Hyun-Chul Kim, Hong-Woo Lee, Kyung-Seok Lee, Moon-Seog Jun
Multi-party Authentication in Web Services
SharePoint Online Authentication Patterns
Installation & User Guide
Agenda OAuth Concepts Programming OAuth.
X-Road as a Platform to Exchange MyData
SharePoint Online Authentication Patterns
How Students Log In and Start a Test
Module 8: Securing Network Traffic by Using IPSec and Certificates
Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.
MyLion Registration Website | Mobile device
Computer Network Information Center, Chinese Academy of Sciences
D Guidance 26-Jun: Would like to see a refresh of this title slide
Mobile Registration App Training Guide for OPO Staffers
Cross Site Request Forgery (CSRF)
Presentation transcript:

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August, 2014 Chun-Yi Wang

Heuristics Evaluation Outline Introduction Background SSOScan Results Heuristics Evaluation Discussion

Single Sign-On Service Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Service

Single Sign-On Service Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Service Allow users to log into an applicationusing an established account (with a service such as Facebook or Twitter) Connect their account on the new site to an established Internet identity

Single Sign-On Workflow Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow

Single Sign-On Workflow Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow OAuth uses three different types of credentials: Access_token Represents permissions granted by the user Eventually expires, but may be valid for a long time

Single Sign-On Workflow Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow Code Used to exchange for an access_token through the identity provider Requires the application’s unique app_secret to proceed With Facebook SSO, the code expires after being used in the first exchange

Single Sign-On Workflow Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow Signed_request A base64 encoded string that contains a user identity, a code, and a signature Can be verified using an application’s app_secret and some other metainformation Once issued, it is not tied to Facebook (except for the enveloped code), and the signature can be verified locally

Integrating SSO services Introduction Background SSOScan Results Heuristics Evaluation Discussion Integrating SSO services

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities

Vulnerabilities - Credential Misuse Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Misuse Access_token misuse In OAuth 2.0, when a service uses an access_token to authenticate users, it will also accept ones granted to any other application Signed_request misuse Information is decoded from a Signed_request but the signature is never checked

Vulnerabilities - Credential Misuse Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Misuse

Vulnerabilities - Credential Leakage Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage App_secret leak When a developer registers an application with Facebook, he receives an app_secret App_secret is used as the key to create signed_requests and to access many other privileged functionalities

Vulnerabilities - Credential Leakage Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage App_secret leak By design, the code and app secret must be sent from the application’s back end server to Facebook in exchange for an access token When this exchange is carried out through the client instead of the server, app secret is exposed to any malicious client

Vulnerabilities - Credential Leakage Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage User OAuth credentials leak - 1 Facebook OAuth landing page contains third-party content automatically include OAuth credentials in the referer header To thwart this leakage, only allowing access token and signed request to appear in the URL fragments

Vulnerabilities - Credential Leakage Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage User OAuth credentials leak - 2 credentials can be exfiltrated by third-party scripts if they are present in the page content If a malicious party is able to obtain these credentials, it could carry out impersonation attacks or perform malicious actions using permissions the user granted the original application

Vulnerabilities - Credential Leakage Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Related Work Program analysis Automated security testing Automated GUI testing Human cooperative testing Single sign-on security

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion SSOScan Components

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller

Enroller – SSO Button Finder Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – SSO Button Finder

Enroller – SSO Button Finder Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – SSO Button Finder

Enroller – SSO Button Finder Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – SSO Button Finder

Enroller – Registration Automation Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – Registration Automation

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Oracle

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerability Tester Simulated Attacks Passive Monitoring

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Overview

Automated Test Results Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

Automated Test Results Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

Automated Test Results Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

Automated Test Results Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Detection Accuracy Facebook Login Detection Correctness Vulnerability Status Correctness Trusted Third-Party Domains

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Automation Failures Registration automation failure Oracle confusion Others

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Options Candidate rank Visibility filter Position filter Registration form filter Element content matching

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Experiment Setup

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Results Element type and content Element size Element position

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Validation

Communication and Responses - from vendors Introduction Background SSOScan Results Heuristics Evaluation Discussion Communication and Responses - from vendors

Communication and Responses - from Facebook Introduction Background SSOScan Results Heuristics Evaluation Discussion Communication and Responses - from Facebook Contacted Facebook on May 2014 regarding the vulnerable websites Facebook is more concerned with those that Leak access_token through referer header Misuse any type of OAuth credential

Communication and Responses - from Facebook Introduction Background SSOScan Results Heuristics Evaluation Discussion Communication and Responses - from Facebook We reported 95 of such cases to Facebook and Facebook responded: “We have notified and taken appropriate actions against those sites” Only 4 out of 95 fixed their issues as of our latest test result.

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Conclusion SSOScan shows roughly 20% of the top ranked websites suffer from SSO vulnerabilities Notifying vendors, or even the identity provider, are not as effective as one might expect

Heuristics Evaluation Introduction Background SSOScan Results Heuristics Evaluation Discussion Conclusion SSOScan deployment opportunities Integrated at identity provider app center / app store Ensure application security by shutting down vulnerable app’s access Checking-as-a-service

Thanks! Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.