SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities

Similar documents

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. Yuchen Zhou and David Evans Presented by Yishan

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

Connected Data. Connected Data requirements for SSO

Egnyte Single Sign-On (SSO) Installation for OneLogin

OAuth: Where are we going?

Automatic Analysis of Browser-based Security Protocols

Configuring. Moodle. Chapter 82

Improving Security and Privacy of Integrated Web Applications

Interoperate in Cloud with Federation

Social Media Single Sign-On: Could You Be Sharing More than Your Password?

Single Sign On. SSO & ID Management for Web and Mobile Applications

The increasing popularity of mobile devices is rapidly changing how and where we

Traitware Authentication Service Integration Document

This manual will illustrate how to integrate your WordPress Blog or website with the Docebo Learning Management System.

Login with Amazon. Developer Guide for Websites

The Android Developers Guide to 3 rd -Party SDK Assessment and Security

How To Use Saml 2.0 Single Sign On With Qualysguard

Baidu: Webmaster Tools Overview and Guidelines

Sharepoint server SSO

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Application Security Testing. Generic Test Strategy

MULTI-REPRESENTATIONAL SECURITY ANALYSIS

Agenda. How to configure

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

SAP NetWeaver AS Java

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Google Apps Deployment Guide

Administering Jive Mobile Apps

Authentication Methods

OpenLogin: PTA, SAML, and OAuth/OpenID

Getting Started with AD/LDAP SSO

Configuring user provisioning for Amazon Web Services (Amazon Specific)

managing SSO with shared credentials

Lenovo Partner Access - Overview

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Introduction to SAML

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Secret Server Qualys Integration Guide

Configuring Parature Self-Service Portal

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Getting Started with Single Sign-On

Create Your Free Mobile Site App in Baidu Webmaster Tools

How To Use Salesforce Identity Features

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Globus Auth. Steve Tuecke. The University of Chicago

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

SAML single sign-on configuration overview

Kroger Supplier Information Management System (SIM) Training Documentation

Web Application Firewall

Firewall Testing Methodology W H I T E P A P E R

Research on the Security of OAuth-Based Single Sign-On Service

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

A Study of What Really Breaks SSL HITB Amsterdam 2011

Automated backup. of the LumaSoft Gas database

Online Vulnerability Scanner Quick Start Guide

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

Mashery OAuth 2.0 Implementation Guide

Deploying RSA ClearTrust with the FirePass controller

On-premise and Online connection with Provider Hosted APP (Part 1)

FileCloud Security FAQ

Identity Implementation Guide

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

TrustedX: eidas Platform

Logout Support on SP and Application

SECURITY THREAT IDENTIFICATION AND TESTING FOR SECURITY PROTOCOLS

Configuring Salesforce

SmarterMeasure Inbound Single Sign On (SSO) Version 1.3 Copyright 2010 SmarterServices, LLC / SmarterServices.com PO Box , Deatsville, AL 36022

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Web Applications Access Control Single Sign On

HP Asset Manager. Implementing Single Sign On for Asset Manager Web 5.x. Legal Notices Introduction Using AM

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Copyright Pivotal Software Inc, of 10

IBM WebSphere Application Server

IT Exam Training online / Bootcamp

Using SAML for Single Sign-On in the SOA Software Platform

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Kenneth Hee Director, Business Development Security & Identity Management. Oracle Identity Management 11g R2 Securing The New Digital Experience

Configuring EPM System for SAML2-based Federation Services SSO

Synology SSO Server. Development Guide

Luminis to Banner Single Sign-On

SAML SSO Configuration

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Broker Registration Guide for TrustFunds Authentication A- B- C Registration Steps

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Configuring. SuccessFactors. Chapter 67

WELCOME TO CITUS CLOUD LOAD TEST

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Configuring SuccessFactors

Identity Federation Broker for Service Cloud

Copyright: WhosOnLocation Limited

Transcription:

123456 SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities Yuchen Zhou David Evans 1 http://www.ssoscan.org/

Single Sign-On Service 2

Single Sign-On Workflow Integrator (e.g., espn.com) Visit Redirect User (Web Client) Login Identity Provider (e.g., Facebook) OAuth Credentials Verify login and issue credentials Confirm Credentials Authenticated 3

Integrating SSO services SSO SDKs are designed for developers with little or no security expertise. The secure integration depends on understanding important security requirements. 4

Credential Misuse Facebook 2. Login User Happens when the application 3. Issue credentials fails to verify: The application ID to which the access_token 4. Forward 1. Visit was issued credentials The signature of signed_request credential 5. Reuse credentials Foo app server 6. Authenticated Mallory 5

Credential Leakage Third Party Resource GET https://cdn.optimizely.com/js/242559767.js HTTP/1.1 Host: cdn.optimizely.com Referer: https://www.dealchicken.com/login? access_token=caabhckz13vubaganpln9fu0dnpvoceu46schxelk peoomlctk3ifnjhgjwezaxojfcyf4wxvwv1mejzvt3k4arpwma jazcooeuecqcndrt82nuebda5acvpojym6j3kzkvza1zbwksfv EIBIZAntEkmDbXaN7IlaC8lQK9G9PE1XLg0kLoqG8ObRhy7BIHfUs9 cnwgzblv6fmhn0wigdde&expires_in=6493&fb_uid=1000039299 06137&ReturnUrl=https%3A%2F%2Fwww.dealchicken.com%2Flogin %3FReturnUrl%3D%252f 6

http://www.ohours.org/ http://www.ask.com/ http://www.wsj.com/ http://www.espn.go.com/ http://www.imgur.com/ http://www.answers.com/ http://www.huffingtonpost.com/ http://www.pinterest.com/ SSOScan Vulnerability status: Credential misuse Credential leakage 7

SSOScan Components Enroller Button Finder IdP login automation Registration automation Oracle Verify enrollment success Confirm session identity Vulnerability Tester Simulate attacks Monitor traffic & response 8

Enroller: Button Finder 9

Button finder: Location 1 10

Button finder: Location 2 11

Button finder: Location First Click, True Positive Second Click, True Positive Second Click, True Positive Second Click, False Positive 12

Registration Automation 13

Oracle 14

Evaluation Dataset: Top-ranked 20,000 US sites 1 excluding hidden sites, DNS errors and timeouts. No Facebook SSO, 90.7% Facebook SSO, 9.3% Test failed 20.0% Misuse cred 12.1% Not Vulnerable 57.4% Leak cred 8.6% Buggy 2.3% Valid top US ranked sites (17, 913) 1,660 Sites using Facebook SSO 20.3% sites have at least one vulnerability 15 1: According to Quantcast

Example vulnerable cases Credential Misuse signed_request: Credential Misuse both: Credential Leakage: : Both vulnerabilities fixed as of now 16

Facebook SSO support % vs. site ranking % Supporting Facebook SSO 45% 40% 35% 30% 25% 20% 15% 10% 5% More popular sites tend to include Facebook SSO more. 0% 1 10 20 30 40 50 60 70 80 90 100 More popular Less popular Site rank (each bin contains 179 sites, 1% of the total tested) 17

Vulnerable sites % vs. sites ranking 70% % Vulnerable 60% 50% 40% 30% 20% Higher-profile sites do not seem to have better security practices (SSO integration). 10% 0% 1 10 20 30 40 50 60 70 80 90 100 * More popular Less popular Site rank (each bin contains 179 sites, 1% of the total tested) 18 *: no Facebook SSO supported sites

Integration methods SDK: <script src="//connect.facebook.net/en_us/all.js" type="text/ javascript"></script> Widget: <iframe name="1394305783460" frameborder="0" ></iframe> Custom code: Anything else Method Number Misuse vul Leakage vul SDK 578 29.1% 3.6% Widget 132 15.5% 2.2% Custom 950 1.3% 12.4% All 1660 12.1% 8.6% 19

Responses from vendors 20 vendors contacted. } Only got 8 responses } 3 of 8 responded after initial (automated) response } After 3 months, one site removed Facebook SSO from their site: ehow.com Through a personal connection, we reached another vendor. } After first fix, vulnerability still exists } Second fix solved all issues 20

Response from Facebook We contacted Facebook on May 2014 regarding the vulnerable websites. Facebook is more concerned with those that } Leak access_token through referer header; } misuse any type of OAuth credential. We reported 95 of such cases to Facebook and Facebook responded: We have notified and taken appropriate actions against those sites. Only 4 out of 95 fixed their issues as of our latest test result. 21

Conclusion SSOScan shows roughly 20% of the top ranked websites suffer from SSO vulnerabilities. Notifying vendors, or even the identity provider, are not as effective as one might expect. SSOScan deployment opportunities: } Integrated at identity provider app center / app store } Ensure application security by shutting down vulnerable app s access. } Checking-as-a-service 22

SSOScan as a web service: http://www.ssoscan.org/ Thank you! 23