Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Published byFelix Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,"— Presentation transcript:

1 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities
Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August, 2014 Chun-Yi Wang

2 Heuristics Evaluation
Outline Introduction Background SSOScan Results Heuristics Evaluation Discussion

3 Single Sign-On Service
Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Service

4 Single Sign-On Service
Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Service Allow users to log into an applicationusing an established account (with a service such as Facebook or Twitter) Connect their account on the new site to an established Internet identity

5 Single Sign-On Workflow
Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow

6 Single Sign-On Workflow
Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow OAuth uses three different types of credentials: Access_token Represents permissions granted by the user Eventually expires, but may be valid for a long time

7 Single Sign-On Workflow
Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow Code Used to exchange for an access_token through the identity provider Requires the application’s unique app_secret to proceed With Facebook SSO, the code expires after being used in the first exchange

8 Single Sign-On Workflow
Introduction Background SSOScan Results Heuristics Evaluation Discussion Single Sign-On Workflow Signed_request A base64 encoded string that contains a user identity, a code, and a signature Can be verified using an application’s app_secret and some other metainformation Once issued, it is not tied to Facebook (except for the enveloped code), and the signature can be verified locally

9 Integrating SSO services
Introduction Background SSOScan Results Heuristics Evaluation Discussion Integrating SSO services

10 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities

11 Vulnerabilities - Credential Misuse
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Misuse Access_token misuse In OAuth 2.0, when a service uses an access_token to authenticate users, it will also accept ones granted to any other application Signed_request misuse Information is decoded from a Signed_request but the signature is never checked

12 Vulnerabilities - Credential Misuse
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Misuse

13 Vulnerabilities - Credential Leakage
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage App_secret leak When a developer registers an application with Facebook, he receives an app_secret App_secret is used as the key to create signed_requests and to access many other privileged functionalities

14 Vulnerabilities - Credential Leakage
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage App_secret leak By design, the code and app secret must be sent from the application’s back end server to Facebook in exchange for an access token When this exchange is carried out through the client instead of the server, app secret is exposed to any malicious client

15 Vulnerabilities - Credential Leakage
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage User OAuth credentials leak - 1 Facebook OAuth landing page contains third-party content automatically include OAuth credentials in the referer header To thwart this leakage, only allowing access token and signed request to appear in the URL fragments

16 Vulnerabilities - Credential Leakage
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage User OAuth credentials leak - 2 credentials can be exfiltrated by third-party scripts if they are present in the page content If a malicious party is able to obtain these credentials, it could carry out impersonation attacks or perform malicious actions using permissions the user granted the original application

17 Vulnerabilities - Credential Leakage
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerabilities - Credential Leakage

18 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Related Work Program analysis Automated security testing Automated GUI testing Human cooperative testing Single sign-on security

19 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion SSOScan Components

20 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller

21 Enroller – SSO Button Finder
Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – SSO Button Finder

22 Enroller – SSO Button Finder
Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – SSO Button Finder

23 Enroller – SSO Button Finder
Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – SSO Button Finder

24 Enroller – Registration Automation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Enroller – Registration Automation

25 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Oracle

26 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Vulnerability Tester Simulated Attacks Passive Monitoring

27 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Overview

28 Automated Test Results
Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

29 Automated Test Results
Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

30 Automated Test Results
Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

31 Automated Test Results
Introduction Background SSOScan Results Heuristics Evaluation Discussion Automated Test Results

32 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Detection Accuracy Facebook Login Detection Correctness Vulnerability Status Correctness Trusted Third-Party Domains

33 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Automation Failures Registration automation failure Oracle confusion Others

34 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Options Candidate rank Visibility filter Position filter Registration form filter Element content matching

35 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Experiment Setup

36 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Results Element type and content Element size Element position

37 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Validation

38 Communication and Responses - from vendors
Introduction Background SSOScan Results Heuristics Evaluation Discussion Communication and Responses - from vendors

39 Communication and Responses - from Facebook
Introduction Background SSOScan Results Heuristics Evaluation Discussion Communication and Responses - from Facebook Contacted Facebook on May regarding the vulnerable websites Facebook is more concerned with those that Leak access_token through referer header Misuse any type of OAuth credential

40 Communication and Responses - from Facebook
Introduction Background SSOScan Results Heuristics Evaluation Discussion Communication and Responses - from Facebook We reported 95 of such cases to Facebook and Facebook responded: “We have notified and taken appropriate actions against those sites” Only 4 out of 95 fixed their issues as of our latest test result.

41 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Conclusion SSOScan shows roughly 20% of the top ranked websites suffer from SSO vulnerabilities Notifying vendors, or even the identity provider, are not as effective as one might expect

42 Heuristics Evaluation
Introduction Background SSOScan Results Heuristics Evaluation Discussion Conclusion SSOScan deployment opportunities Integrated at identity provider app center / app store Ensure application security by shutting down vulnerable app’s access Checking-as-a-service

43 Thanks! Questions?

Download ppt "SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,"

Similar presentations

The How of OAuth OAuth Hackathon – Six Apart

The How of OAuth OAuth Hackathon – Six Apart
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Creating a Single Sign On Account. To create a Single Sign On ID please visit https://IMPACT.illinois.gov and select the option to create a new account.

Creating a Single Sign On Account. To create a Single Sign On ID please visit and select the option to create a new account.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Robust Defenses for Cross-Site Request Forgery CS6V81 - 005 Presented by Saravana M Subramanian.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
Module 11: Securing a Microsoft ASP.NET Web Application.

Module 11: Securing a Microsoft ASP.NET Web Application.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Similar presentations

Ads by Google