Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite



Similar documents
Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite

Practical Security Evaluation of SAML-based Single Sign-On Solutions

Bachelor Thesis. Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

SAML and OAUTH comparison

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

OpenLogin: PTA, SAML, and OAuth/OpenID

Lecture Notes for Advanced Web Security 2015

Safewhere*Identify 3.4. Release Notes

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Copyright: WhosOnLocation Limited

Axway API Gateway. Version 7.4.1

Web Based Single Sign-On and Access Control

The increasing popularity of mobile devices is rapidly changing how and where we

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Copyright Pivotal Software Inc, of 10

Integration Overview. Web Services and Single Sign On

CA Nimsoft Service Desk

OpenID Connect 1.0 for Enterprise

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Building Secure Applications. James Tedrick

Secure Single Sign-On

SAML SSO Configuration

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

On Breaking SAML: Be Whoever You Want to Be OWASP The OWASP Foundation Juraj Somorovsky and Christian Mainka

Agenda. How to configure

Gateway Apps - Security Summary SECURITY SUMMARY

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Force.com REST API Developer's Guide

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

Enhancing Web Application Security

Single Sign On. SSO & ID Management for Web and Mobile Applications

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Riverbed Cascade Shark Common REST API v1.0

Salesforce1 Mobile Security Guide

Mobile Security. Policies, Standards, Frameworks, Guidelines

A Standards-based Mobile Application IdM Architecture

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Secure Services withapache CXF

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Simple Cloud Identity Management (SCIM)

Fairsail REST API: Guide for Developers

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

How to Extend Identity Security to Your APIs

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

Single Sign On for UNICORE command line clients

Flexible Identity Federation

USING FEDERATED AUTHENTICATION WITH M-FILES

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Cloud Elements! Marketing Hub Provisioning and Usage Guide!

Single Sign-On Implementation Guide

Virtualization and Cloud Computing

The Florida Department of Education s Single Sign-On Solution. July - August 2012

Single Sign-On Implementation Guide

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

Proxied Authentication in SSO Setups with Common OSS. Open Identity Summit 2015 Prof. Dr. René Peinl Berlin,

Flowpack Single sign-on Server Documentation

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

SINGLE & SAME SIGN-ON ASPECTS

JVA-122. Secure Java Web Development

Using SAML for Single Sign-On in the SOA Software Platform

OVERVIEW. DIGIPASS Authentication for Office 365

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Get Success in Passing Your Certification Exam at first attempt!

WHITE PAPER Usher Mobile Identity Platform

SAML-Based SSO Solution

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Administering Jive Mobile Apps

Security Testing For RESTful Applications

On Breaking SAML: Be Whoever You Want to Be

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities

Single Sign-On Implementation Guide

Securing Cloud Applications Using Windows Azure Access Control

API-Security Gateway Dirk Krafzig

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Advanced HTTP API Documentation

REDCap Technical Overview

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Configuring Single Sign-on for WebVPN

OAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

The Top 5 Federated Single Sign-On Scenarios

OAuth2 Ready or not? Dominick Baier

Adding Stronger Authentication to your Portal and Cloud Apps

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

Transcription:

Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite Vladislav Mladenov, Tim Guenther, Christian Mainka, Horst-Görtz Institut für IT-Sicherheit, Ruhr-Universität Bochum 1 1

Single Sign-On Analyzing SSO EsPReSSO Demo 2

Single Sign-On Username/Password 3 User 3

Single Sign-On Service Provider 1 Service Provider 2 Identity Provider Username/ Password Token User Token Service Provider 3 Service Provider 4 Service Provider 5 4

Single Sign-On Analyzing SSO EsPReSSO Demo 5

Analyzing SSO: Protocols SAML 2.0 OpenID OAuth 2.0 MS Account Facebook Connect OpenID Connect 1.0 BrowserID 6

Analyzing SSO: Security issues 7

Analyzing SSO: Automated Analysis Start Results Pen-testing Tool Security auditor Server 8

Analyzing SSO: Automated Analysis Automated Analysis is insufficient Existing tools analyze only one SSO protocol or small subset of exisiting attacks Small deviations in the messages lead to false results Only known attacks are detected Extending the tools is insufficient or not possible Changes in the specification are not implemented Security report: No issues found There are no security issues? The tool did not find any security issues? 9

Analyzing SSO: Semi-automated Analysis Security pentester and researcher prefer semiautomated tools Full control over all messages Flexibility during security evaluations 10

Single Sign-On Analyzing SSO EsPReSSO Demo 12

Burp Suite Setup: Proxy HTTP Messages HTTP Request HTTP Response Burp Suite HTTP Request HTTP Response Security auditor Server 13

Burp Suite Many different messages. Hard to identify SSO related messages 14

EsPReSSO Acronym for Extension for Processing and Recognition of Single Sign-On Protocols Structure: Recognition Visualization Processing / Attacking 15

EsPReSSO: Recognition Burp Suite does not recognize SSO related messages by default SSO Messages are encoded with different technologies like: JSON JWT Compression Support for all previous presented protocols. 16

EsPReSSO: Visualization SSO History window, for SSO messages only. Special Editors for encoded messages. Syntax highlighting for: JSON XML (more possible) 17

EsPReSSO: Processing/Attacking XML Signature/Certificate Faking A signed XML message will be modified and signed with an new untrusted key XML Signature Wrapping A signed message will be modified without invalidating the provided signature 18

Single Sign-On Analyzing SSO EsPReSSO Demo 19

EsPReSSO: Conculsion A good basis to support pentesters and researchers during their work. EsPReSSO is still beta. Hopefully many feature requests and comments on GitHub. 20

Links Burp Suite https://portswigger.net/burp/ EsPReSSO https://github.com/rub-nds/burpssoextension 21

Any Questions? 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information