Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.

Published byRoss Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities."— Presentation transcript:

1 Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

2  Allows a user to login with a single ID to a number of connected systems  Established internet identity (Twitter, Facebook, Google)  Extra permissions can be issued as needed by the service Single Sign-On (SSO)

3 Reduces password fatigue Don’t need to remember lots of different passwords Reduces time spent re-entering passwords Lost password claims in IT goes down  Access to more with same credentials  High reliance on authentication system being “up” SSO: Benefits and Drawbacks

4 How it Works 1. Alice visits a web application and uses SSO 2. Alice is redirected to Identity provider 3. Alice logs into Facebook 4. OAuth credentials issued to application server 5. Application server confirms identity and authenticates the client

5  Code  Used to exchange for an access_token  Also requires applications app_secret  Access_token  Represents permissions granted by the user  Issued and forwarded to application at users consent  Signed_request  Used to verify a user’s current login status OAuth Credentials

6  Facebook tokens: User Access Tokens, App Access, Tokens, Page Access Token and Client Access Tokens  Facebook User Access Token  Used to read/write Facebook data on their behalf  Obtained via login dialogs  Short-life (~2 hours) and long-life tokens (~60 days)  Tokens are PORTABLE Facebook Access Tokens

7  Implementing SSO services can be difficult  Developers make mistakes when integrating SSO APIs  Applications integrating SSO can have vulnerabilities as shown in previous papers Motivation

8  Development of SSOScan  Takes a website URL, determines if it uses Facebook SSO and simulates several attacks  Focus is on Facebook  Two parts to SSOScan  Large scale study and investigation of vulnerabilities  Top 20,000 most popular US sites Contribution

9  An automatic vulnerability checker for applications using Facebook SSO  Designed for large scale testing  Consists of two main parts: enroller & vulnerability tester  In addition an oracle which determines state SSOScan

10  First step: find the login button  Second: login with Facebook SSO  [Third]: Enter remaining details  Website is broken up into elements and analyzed  Rankings to each element  Clicking every element would take up far too much time The Enroller

11  Different websites = different registration process  SSOScan must account for registration forms after already signing in  Registration forms filled out  Radio buttons -> tick boxes -> text fields -> submit The Enroller (2)

12

13

14  Determine if enroller logged a user in  Also used by vulnerability tester to check impersonation attack  Looks for anything indicating account information  Name, email, profile  “Welcome Alice” The Oracle

15  Control is pass to the vulnerability tester  Five different types of vulnerabilities were looked for The Vulnerability Tester

16  Access_tokens are not tied to a specific application Access_token misuse

17  Signature of signed request is never checked using app_secret  Attack is similar to access_token misuse except you reuse signed_request as well as access_token Signed_request misuse

18  App_secret is given to developer when app is registered  Should always be kept secret  Code and app_secret are used to exchange for an access token. Do this on SERVER SIDE App_secret leak

19 1. Credentials intentionally put in the URL 2. Credentials present in the content  From this can impersonate users Credential Leaks

20 Signed_request misuse  Situation described earlier – malicious website  Test application “Mal” developed  Alice's signed_request for Mal obtained  Bob signs into target application using stolen signed_request  Success: Bob = Alice Simulated Attacks

21 Referer header leak  SSOScan monitors all request data  Compares each referer header to OAuth credentials  A leak is: credentials found in header for a page that contains third-party content Passive Monitoring

22  20,000 websites -> 17,913 valid sites  Three days to complete  3.5 minutes per site on average Running SSOScan

23  Of the 17,913 sites 1660 had Facebook SSO implementations  The more popular the website, the higher chance the website integrated Facebook SSO  39 / 1660 sites had faulty implementations  Lazy programmers, SEO Purposes, incorrect implementations Results

24  202 / 1660 sites misused credentials  126 were misusing both access_token and signed_request  146 /1660 sites leaked Facebook SSO credentials  A total of 345 / 1660 had at least one of the vulnerabilities.  3 websites had both misused and leaked credentials Results (2)

25  None of the sites leaked their app_secret  Verified SSOScan was working  Documentation warnings & increased effort Example:  Match.com  Vulnerable to signed_request replacement  Impersonators had access to sensitive information Results (3)

26  Two kinds of mistakes identified: Misreporting Facebook SSO  A number of test cases identified  No login button – Only “My Account” button  Interaction with popup window three times. Max click depth = 2  Login button ranked 4 th of all elements Evaluation: Misreporting

27  Vulnerabilities were simulated  Confident accuracy of scan is good  A false negative is possible  OAuth string is transformed or encoded  SSOScan checks for exact match Evaluation: Vulnerability Identification

28  228 cases which failed registration  47 would never work anyway  Complicated registration process: CAPTCHAs etc.  Oracle Confusion: No ID information  Other: Timeouts, load loading times Automation Failures

29  A single click incurs latency  Important to narrow selection  Candidate rank  Visibility Filter  Position  Registration form filter Heuristics Evaluation

30  Vulnerable sites contact  Most didn’t care  Facebook contacted  Still didn’t care  Of total 345 vulnerable sites, 48 fixed problems  Two main contributions:  SSOScan Tool  Large scale testing of popular websites Communication and Conclusion

31  Front end operations and traffic checked only  Methodology of vulnerability tester unclear  SSOScan only relevant for English websites  Only Facebook SSO implementation checked  Possible tied to Facebook API Criticism

32 Questions?

Download ppt "Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities."

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Research and Innovation Participant Portal How to register for an ECAS account NEXT.

Research and Innovation Participant Portal How to register for an ECAS account NEXT.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Information Regarding

Information Regarding
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
On-Line Database Placement Application Tutorial. How to Change Your Information On York’s System.

On-Line Database Placement Application Tutorial. How to Change Your Information On York’s System.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Fire Officer Strategy and Tactics (FOST) State Certification Practical Examination PART “A” May 2009.

Fire Officer Strategy and Tactics (FOST) State Certification Practical Examination PART “A” May 2009.
Fire Officer Strategy and Tactics (FOST)

Fire Officer Strategy and Tactics (FOST)
Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore

Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore
Welcome to the Sinclair Community College Online Employment Applicant Tutorial.

Welcome to the Sinclair Community College Online Employment Applicant Tutorial.
Internet Banking Standard FIAT & Standard FIAT-Hybrid Registration Intuit Financial Services University Internet Banking Certification Training.

Internet Banking Standard FIAT & Standard FIAT-Hybrid Registration Intuit Financial Services University Internet Banking Certification Training.
SAM: Student Getting Started Guide.

SAM: Student Getting Started Guide.
Quick Reference Guide Welcome TEST USER Version_NSU_101111 HELP RETIREMENT MANAGER DEMO FEEDBACK.

Quick Reference Guide Welcome TEST USER Version_NSU_ HELP RETIREMENT MANAGER DEMO FEEDBACK.
HHS Enterprise Portal Redesign Training for CASA Users.

HHS Enterprise Portal Redesign Training for CASA Users.
Welcome to the University of West Florida Online Employment System Applicant Tutorial.

Welcome to the University of West Florida Online Employment System Applicant Tutorial.
GFP in the IUID Registry – A Basic Look Walt Clark, CPPM Raytheon IIS.

GFP in the IUID Registry – A Basic Look Walt Clark, CPPM Raytheon IIS.

Similar presentations

Ads by Google