Post on 14-Jan-2016
transcript
Yuchen Zhou and David Evans
Presented by Simon du PreezCompsci 726
SSOScan: Automated Testing of Web Applications for Single Sign-On
Vulnerabilities
Allows a user to login with a single ID to a number of connected systems
Established internet identity (Twitter, Facebook, Google)
Extra permissions can be issued as needed by the service
Single Sign-On (SSO)
Reduces password fatigue Don’t need to remember lots of different passwords Reduces time spent re-entering passwords Lost password claims in IT goes down
Access to more with same credentials High reliance on authentication system being “up”
SSO: Benefits and Drawbacks
How it Works
1. Alice visits a web application and uses SSO
2. Alice is redirected to Identity provider
3. Alice logs into Facebook4. OAuth credentials issued
to application server5. Application server
confirms identity and authenticates the client
Code Used to exchange for an access_token Also requires applications app_secret
Access_token Represents permissions granted by the user Issued and forwarded to application at users consent
Signed_request Used to verify a user’s current login status
OAuth Credentials
Facebook tokens: User Access Tokens, App Access, Tokens, Page Access Token and Client Access Tokens
Facebook User Access Token Used to read/write Facebook data on their behalf Obtained via login dialogs Short-life (~2 hours) and long-life tokens (~60 days) Tokens are PORTABLE
Facebook Access Tokens
Implementing SSO services can be difficult
Developers make mistakes when integrating SSO APIs
Applications integrating SSO can have vulnerabilities as shown in previous papers
Motivation
Development of SSOScan Takes a website URL, determines if it uses Facebook SSO and
simulates several attacks Focus is on Facebook Two parts to SSOScan
Large scale study and investigation of vulnerabilities Top 20,000 most popular US sites
Contribution
An automatic vulnerability checker for applications using Facebook SSO
Designed for large scale testing
Consists of two main parts: enroller & vulnerability tester
In addition an oracle which determines state
SSOScan
First step: find the login button Second: login with Facebook SSO [Third]: Enter remaining details
Website is broken up into elements and analyzed Rankings to each element Clicking every element would take up far too much time
The Enroller
Different websites = different registration process
SSOScan must account for registration forms after already signing in
Registration forms filled out Radio buttons -> tick boxes -> text fields -> submit
The Enroller (2)
Determine if enroller logged a user in
Also used by vulnerability tester to check impersonation attack
Looks for anything indicating account information Name, email, profile “Welcome Alice”
The Oracle
Control is pass to the vulnerability tester
Five different types of vulnerabilities were looked for
The Vulnerability Tester
Access_tokens are not tied to a specific application
Access_token misuse
Signature of signed request is never checked using app_secret
Attack is similar to access_token misuse except you reuse signed_request as well as access_token
Signed_request misuse
App_secret is given to developer when app is registered
Should always be kept secret
Code and app_secret are used to exchange for an access token. Do this on SERVER SIDE
App_secret leak
1. Credentials intentionally put in the URL
2. Credentials present in the content From this can impersonate users
Credential Leaks
Signed_request misuse Situation described earlier – malicious website Test application “Mal” developed Alice's signed_request for Mal obtained Bob signs into target application using stolen
signed_request Success: Bob = Alice
Simulated Attacks
Referer header leak SSOScan monitors all request data
Compares each referer header to OAuth credentials
A leak is: credentials found in header for a page that contains third-party content
Passive Monitoring
20,000 websites -> 17,913 valid sites
Three days to complete 3.5 minutes per site on average
Running SSOScan
Of the 17,913 sites 1660 had Facebook SSO implementations
The more popular the website, the higher chance the website integrated Facebook SSO
39 / 1660 sites had faulty implementations Lazy programmers, SEO Purposes, incorrect
implementations
Results
202 / 1660 sites misused credentials 126 were misusing both access_token and signed_request
146 /1660 sites leaked Facebook SSO credentials
A total of 345 / 1660 had at least one of the vulnerabilities. 3 websites had both misused and leaked credentials
Results (2)
None of the sites leaked their app_secret Verified SSOScan was working Documentation warnings & increased effort
Example: Match.com
Vulnerable to signed_request replacement Impersonators had access to sensitive information
Results (3)
Two kinds of mistakes identified: Misreporting Facebook SSO
A number of test cases identified No login button – Only “My Account” button Interaction with popup window three times. Max click depth = 2 Login button ranked 4th of all elements
Evaluation: Misreporting
Vulnerabilities were simulated Confident accuracy of scan is good
A false negative is possible OAuth string is transformed or encoded
SSOScan checks for exact match
Evaluation: Vulnerability Identification
228 cases which failed registration 47 would never work anyway
Complicated registration process: CAPTCHAs etc.
Oracle Confusion: No ID information
Other: Timeouts, load loading times
Automation Failures
A single click incurs latency Important to narrow selection
Candidate rank Visibility Filter Position Registration form filter
Heuristics Evaluation
Vulnerable sites contact Most didn’t care
Facebook contacted Still didn’t care
Of total 345 vulnerable sites, 48 fixed problems Two main contributions:
SSOScan Tool Large scale testing of popular websites
Communication and Conclusion
Front end operations and traffic checked only
Methodology of vulnerability tester unclear
SSOScan only relevant for English websites
Only Facebook SSO implementation checked Possible tied to Facebook API
Criticism
Questions?