SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities

Transcription

1 SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities Yuchen Zhou David Evans 1

2 Single Sign-On Service 2

3 Single Sign-On Workflow Integrator (e.g., espn.com) Visit Redirect User (Web Client) Login Identity Provider (e.g., Facebook) OAuth Credentials Verify login and issue credentials Confirm Credentials Authenticated 3

4 Integrating SSO services SSO SDKs are designed for developers with little or no security expertise. The secure integration depends on understanding important security requirements. 4

5 Credential Misuse Facebook 2. Login User Happens when the application 3. Issue credentials fails to verify: The application ID to which the access_token 4. Forward 1. Visit was issued credentials The signature of signed_request credential 5. Reuse credentials Foo app server 6. Authenticated Mallory 5

6 Credential Leakage Third Party Resource GET HTTP/1.1 Host: cdn.optimizely.com Referer: access_token=caabhckz13vubaganpln9fu0dnpvoceu46schxelk peoomlctk3ifnjhgjwezaxojfcyf4wxvwv1mejzvt3k4arpwma jazcooeuecqcndrt82nuebda5acvpojym6j3kzkvza1zbwksfv EIBIZAntEkmDbXaN7IlaC8lQK9G9PE1XLg0kLoqG8ObRhy7BIHfUs9 cnwgzblv6fmhn0wigdde&expires_in=6493&fb_uid= &ReturnUrl=https%3A%2F%2Fwww.dealchicken.com%2Flogin %3FReturnUrl%3D%252f 6

7 SSOScan Vulnerability status: Credential misuse Credential leakage 7

8 SSOScan Components Enroller Button Finder IdP login automation Registration automation Oracle Verify enrollment success Confirm session identity Vulnerability Tester Simulate attacks Monitor traffic & response 8

9 Enroller: Button Finder 9

10 Button finder: Location 1 10

11 Button finder: Location 2 11

12 Button finder: Location First Click, True Positive Second Click, True Positive Second Click, True Positive Second Click, False Positive 12

13 Registration Automation 13

14 Oracle 14

15 Evaluation Dataset: Top-ranked 20,000 US sites 1 excluding hidden sites, DNS errors and timeouts. No Facebook SSO, 90.7% Facebook SSO, 9.3% Test failed 20.0% Misuse cred 12.1% Not Vulnerable 57.4% Leak cred 8.6% Buggy 2.3% Valid top US ranked sites (17, 913) 1,660 Sites using Facebook SSO 20.3% sites have at least one vulnerability 15 1: According to Quantcast

16 Example vulnerable cases Credential Misuse signed_request: Credential Misuse both: Credential Leakage: : Both vulnerabilities fixed as of now 16

17 Facebook SSO support % vs. site ranking % Supporting Facebook SSO 45% 40% 35% 30% 25% 20% 15% 10% 5% More popular sites tend to include Facebook SSO more. 0% More popular Less popular Site rank (each bin contains 179 sites, 1% of the total tested) 17

18 Vulnerable sites % vs. sites ranking 70% % Vulnerable 60% 50% 40% 30% 20% Higher-profile sites do not seem to have better security practices (SSO integration). 10% 0% * More popular Less popular Site rank (each bin contains 179 sites, 1% of the total tested) 18 *: no Facebook SSO supported sites

19 Integration methods SDK: <script src="//connect.facebook.net/en_us/all.js" type="text/ javascript"></script> Widget: <iframe name=" " frameborder="0" ></iframe> Custom code: Anything else Method Number Misuse vul Leakage vul SDK % 3.6% Widget % 2.2% Custom % 12.4% All % 8.6% 19

20 Responses from vendors 20 vendors contacted. } Only got 8 responses } 3 of 8 responded after initial (automated) response } After 3 months, one site removed Facebook SSO from their site: ehow.com Through a personal connection, we reached another vendor. } After first fix, vulnerability still exists } Second fix solved all issues 20

21 Response from Facebook We contacted Facebook on May 2014 regarding the vulnerable websites. Facebook is more concerned with those that } Leak access_token through referer header; } misuse any type of OAuth credential. We reported 95 of such cases to Facebook and Facebook responded: We have notified and taken appropriate actions against those sites. Only 4 out of 95 fixed their issues as of our latest test result. 21

22 Conclusion SSOScan shows roughly 20% of the top ranked websites suffer from SSO vulnerabilities. Notifying vendors, or even the identity provider, are not as effective as one might expect. SSOScan deployment opportunities: } Integrated at identity provider app center / app store } Ensure application security by shutting down vulnerable app s access. } Checking-as-a-service 22

23 SSOScan as a web service: Thank you! 23