SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities
نویسندگان
چکیده
Correctly integrating third-party services into web applications is challenging, and mistakes can have grave consequences when third-party services are used for security-critical tasks such as authentication and authorization. Developers often misunderstand integration requirements and make critical mistakes when integrating services such as single sign-on APIs. Since traditional programming techniques are hard to apply to programs running inside black-box web servers, we propose to detect vulnerabilities by probing behaviors of the system. This paper describes the design and implementation of SSOScan, an automatic vulnerability checker for applications using Facebook Single Sign-On (SSO) APIs. We used SSOScan to study the twenty thousand top-ranked websites for five SSO vulnerabilities. Of the 1660 sites in our study that employ Facebook SSO, over 20% were found to suffer from at least one serious vulnerability.
منابع مشابه
Automatic Detection of Vulnerabilities in Web Applications using Fuzzing
Automatic detection of vulnerabilities is a problem studied in literature and a very important concern in application development with security requirements. Fuzzing is a software testing technique, automated or semi-automated, that involves injecting a massive quantity of semi-random inputs in software in order to find security vulnerabilities. Many vulnerability detection techniques need manu...
متن کاملExploring the Relationship Between Web Application Development Tools and Security
How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative data to the discussion and debate. We use manu...
متن کاملImproving penetration testing through static and dynamic analysis
Penetration testing is widely used to help ensure the security of web applications. Using penetration testing, testers discover vulnerabilities by simulating attacks on a target web application. To do this efficiently, testers rely on automated techniques that gather input vector information about the target web application and analyze the application’s responses to determine whether an attack ...
متن کاملSemi-Automatic Security Testing of Web Applications with Fault Models and Properties
Web applications are complex and face a significant amount of complex attacks, as well. The complexity makes manual testing of web applications for security issues hard and time consuming, thus, automated testing is preferable. To tackle the complexity, we propose a (semi-)automatic model-based testing approach. Using models, test cases are often generated using structural criteria. Since such ...
متن کاملAttack Patterns for Black-Box Security Testing of Multi-Party Web Applications
The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of ...
متن کامل