SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. Yuchen Zhou and David Evans Presented by Yishan

Transcription

1 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou and David Evans Presented by Yishan

2 Background Single Sign-On (SSO) OAuth Credentials Vulnerabilities

3 Single Sign-On

4 Single Sign-On Workflow User Integrator / Client (e.g. HuffingtonPost) Identity Provider (e.g. Facebook)

5 OAuth Credentials Code exchange for Access_token Access_token represent user granted permissions Signed_request verify user s login status

6

7 Vulnerabilities Credential Misuse: Access_token misuse Signed_request misuse Credential Leakage App_secret leak Embed OAuth credentials in URL Embed OAuth credentials in body content

8 SSOScan Takes in a URL and outputs the vulnerability status of the site of the five vulnerabilities mentioned above. Also this tool is required to finish testing the site in a short period of time so that it can be used to test a large scale of sites.

9 SSOScan Components Enroller Automatically registers test accounts at a web application. Oracle Determine if the enrolment succeeds. Vulnerability Tester Simulates attacks and monitors traffic to test for each vulnerability

10 Enroller : Button Finder First find and click the Log in button. Heuristic regular expression matching on the login words Heuristic Log in button location Then Log in with Facebook button pops up

11 Enroller : Completing Registration Using SSO to sign in for the first time, it requires to complete registration. Then use Button Finder with different settings to find submit button

12 Oracle Decide registration successful by confirming the session s identity Assumption the homepage will display some user information (replace the original login button) after the user has logged in. Searches the entire DOM and document.cookie for test account user information.

13 Vulnerability Tester Simulated Attacks test credential misuse Test application: Mal simulates Alice signs into a malicious website using Facebook to obtain her signed_request, then use Bob s Facebook credential to sign into an application, replace signed_request with Alice s. If Bob logs in as Alice, attack successes. Passive Monitoring test credential leakage Monitors network traffic, request data and web page contents to check whether it contains OAuth credentials.

14 Automated Test Results Top rank 20,000 websites according to quantcast.com Exclude 715 hidden sites(no URL given), 1,372 sites with DNS errors and timeouts Valid 17,913 sites 1,660 (9.3%) sites using Facebook SSO 202 (12.1%) sites misusing credentials 146 (8.6%) sites leaking credentials 345 (20.3%) sites have at least one vulnerability Average testing time 3.5 min per site

15 Detection Accuracy Facebook Login Detection Correctness Sites include Facebook SSO but missed by SSOScan missed 1 out of 100 from manual examination Sites do not include Facebook SSO but concluded by SSOScan E.g. MSN.com Vulnerability Status Correctness Credential leakage OAuth credential is transformed or encoded. Credential misuse Oracle incorrectly determines the session identity

16 Automation Failures 228 failed out of 10,000 test sites Programmed incorrectly (47 cases) Complicated or highly-customized registration process. (143 cases) Oracle confusion cannot detect the session identity (28 cases) Others e.g. timeout etc. (10 cases)

17 Heuristic Evaluation Candidate rank controls the maximum number (3) of click attempts. Visibility filter ignores all invisible elements e.g. element width/height is 0 Position filter eliminates submit button displayed above any inputs Registration form filter rejects submit button requires user manual interactions e.g. account linking interaction, need user to enter username and password or etc. Element content matching e.g. login / sign up with Facebook

18 Experiment & Results Remove all filters to try every possible strategy. Results Element type of Button or Input are very likely to be a true candidate. Elements direct visible / residing in iframes are more likely represents a true candidate (invisible / main page) Keywords like Connect, Facebook and oauth are also very useful in matching regular expression Can exclude button width greater than 300 px First click attempts to be at the upper right corner of the page and second click appears in the upper middle of the page. Result shows that only few sites containing Facebook SSO were missed by the main study

19 Conclusion The paper describes the design and implementation of an auto vulnerability checker SSOScan. By scanning 20,000 sites, authors find that 20.3% sites suffer from at least one vulnerability. SSOScan can be deployed as part of the application validation process to improve the security of integrated applications. The identity provider or notifying vendors are not found to be effective. Particularly difficult to convince website vendors to take security vulnerabilities seriously.

20 Criticisms How to compute different scores based on each heuristic exactly? It computes a score for each element by matching its content with regular expressions adjust the contribution of different element properties to its score The Vulnerability Tester s procedure is not explained in detail as how exactly they tested each vulnerability. the method for checking access_token misuses is similar. the other leaks are detected similarly by observing network traffic and web page contents.

21 Criticisms Run the experiment on the previous found test pool (973 out of 10,000 sites supported Facebook SSO found by the initial study) could cause bias. SSOScan is limited to English-language websites, Facebook SSO, these particular five vulnerabilities Can only test vulnerabilities that can be checked by observing traffic or simulating predictable user events. We could potentially even ignore the other criteria and only consider position to find login buttons on foreign-language sites.

22 Thank you!