SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities
Date: August 2014
Publication: 23rd USENIX Security Symposium, SEC '14
Source 1: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-zhou.pdf
Source 2: http://www.ssoscan.org/SSOScan.pdf
Source 3: http://www.ssoscan.org/SSOScan_TR.pdf
Correctly integrating third-party services into web applications is challenging, and mistakes can have grave consequences when third-party services are used for security-critical tasks such as authentication and authorization. Developers often misunderstand integration requirements and make critical mistakes when integrating services such as single sign-on APIs. Since traditional programming techniques are hard to apply to programs running inside black-box web servers, we propose to detect vulnerabilities by probing behaviors of the system. This paper describes the design and implementation of SSOScan, an automatic vulnerability checker for applications using Facebook Single Sign-On (SSO) APIs. We used SSOScan to study the twenty thousand top-ranked websites for five SSO vulnerabilities. Of the 1660 sites in our study that employ Facebook SSO, over 20% were found to suffer from at least one serious vulnerability.
PasswordResearch.com Note: Video and audio recordings of paper presentation available here: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/zhou
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.