SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

Friday, August 1, 2014 - 10:00am
Authors: 

Yuchen Zhou and David Evans, University of Virginia

Abstract: 

Correctly integrating third-party services into web applications is challenging, and mistakes can have grave consequences when third-party services are used for security-critical tasks such as authentication and authorization. Developers often misunderstand integration requirements and make critical mistakes when integrating services such as single sign-on APIs. Since traditional programming techniques are hard to apply to programs running inside black-box web servers, we propose to detect vulnerabilities by probing behaviors of the system. This paper describes the design and implementation of SSOScan, an automatic vulnerability checker for applications using Facebook Single Sign-On (SSO) APIs. We used SSOScan to study the twenty thousand top-ranked websites for five SSO vulnerabilities. Of the 1660 sites in our study that employ Facebook SSO, over 20% were found to suffer from at least one serious vulnerability.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Video

Download Video

Presentation Audio

Zhou PDF
View the slides
BibTeX
@inproceedings {184435,
author = {Yuchen Zhou and David Evans},
title = {SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities},
booktitle = {23rd {USENIX} Security Symposium ({USENIX} Security 14)},
year = {2014},
isbn = {978-1-931971-15-7},
address = {San Diego, CA},
pages = {495--510},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/zhou},
publisher = {{USENIX} Association},
}
Download