SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities
Yuchen Zhou David Evans
http://www.ssoscan.org/ 1
123456
Single Sign-On Service
2
Single Sign-On Workflow
3
Identity Provider (e.g., Facebook)
Integrator (e.g., espn.com)
Redirect
Visit
OAuth Credentials
Confirm Credentials
Authenticated
Login
Verify login and issue credentials
User (Web Client)
Integrating SSO services
4
SSO SDKs are designed for developers with little or no security expertise. The secure integration depends on understanding important security requirements.
Credential Misuse
5
1. Visit
3. Issue credentials
4. Forward credentials
5. Reuse credentials
6. Authenticated
Facebook User
Mallory Foo app server
2. Login
Happens when the application fails to verify: • The application ID to which the access_token was issued
• The signature of signed_request credential
Credential Leakage
6
Third Party
Resource
GET https://cdn.optimizely.com/js/242559767.js HTTP/1.1 Host: cdn.optimizely.com … Referer: https://www.dealchicken.com/Login?access_token=CAABhCKz13vUBAGaNPlN9fu0dnPvoceu46ScHXELkpEOOmLCTk3iFnJHGjWEZAxOJFcYf4wxVWv1MejzvT3K4arpWmAjAZCoOeuECQcnDRt82nUeBdA5ACVpoJyM6J3KzKvZA1ZBWKsFVEIBIZAntEkmDbXaN7IlaC8lQK9G9PE1XLg0kLoqG8ObRhy7BIHfUs9cNWGZBLV6fMhN0WIgdde&expires_in=6493&fb_uid=100003929906137&ReturnUrl=https%3A%2F%2Fwww.dealchicken.com%2Flogin%3FReturnUrl%3D%252f
7
SSOScan
http://www.answers.com/
http://www.espn.go.com/
http://www.pinterest.com/ http://www.huffingtonpost.com/
http://www.imgur.com/ http://www.wsj.com/
http://www.ask.com/ http://www.ohours.org/
Vulnerability status:
Credential misuse Credential leakage
SSOScan Components
8
Vulnerability Tester
Oracle
Enroller • Button Finder • IdP login automation • Registration automation
• Simulate attacks • Monitor traffic & response
Enroller
Oracle
Vulnerability Tester
• Verify enrollment success • Confirm session identity
Enroller: Button Finder
9
Button finder: Location
10
1
Button finder: Location
11
2
Button finder: Location
12
Second Click, False Positive Second Click, True Positive
First Click, True Positive Second Click, True Positive
Registration Automation
13
Oracle
14
Evaluation
15
Not Vulnerable 57.4%
Buggy 2.3%
No Facebook SSO, 90.7%
Facebook SSO, 9.3%
Misuse cred 12.1%
1,660 Sites using Facebook SSO
Leak cred 8.6%
Test failed 20.0%
20.3% sites have at least one vulnerability
Valid top US ranked sites (17, 913)
Dataset: Top-ranked 20,000 US sites1 excluding hidden sites, DNS errors and timeouts.
1: According to Quantcast
Example vulnerable cases
16
Credential Misuse – signed_request:
Credential Misuse – both: Credential Leakage:
: Both vulnerabilities fixed as of now
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Facebook SSO support % vs. site ranking
More popular sites tend to include Facebook SSO more.
17
Site rank (each bin contains 179 sites, 1% of the total tested)
1 10 20 30 40 50 60 70 80 90 100
More popular Less popular
% S
uppo
rtin
g Fa
cebo
ok S
SO
0%
10%
20%
30%
40%
50%
60%
70%
% V
ulne
rabl
e Vulnerable sites % vs. sites ranking
1 10 20 30 40 50 60 70 80 90 100
18
*
*: no Facebook SSO supported sites
Site rank (each bin contains 179 sites, 1% of the total tested)
More popular Less popular
Higher-profile sites do not seem to have better security practices (SSO integration).
Integration methods
19
SDK:
Widget:
Custom code: Anything else
<iframe name="1394305783460" frameborder="0" …></iframe>
<script src="//connect.facebook.net/en_US/all.js" type="text/javascript"></script>
Method Number Misuse vul Leakage vul
SDK 578 29.1% 3.6%
Widget 132 15.5% 2.2%
Custom 950 1.3% 12.4%
All 1660 12.1% 8.6%
Responses from vendors 20 vendors contacted.
} Only got 8 responses } 3 of 8 responded after initial (automated) response } After 3 months, one site removed Facebook SSO from their
site: ehow.com
Through a personal connection, we reached another vendor .
} After first fix, vulnerability still exists } Second fix solved all issues
20
Response from Facebook
21
We contacted Facebook on May 2014 regarding the vulnerable websites. Facebook is more concerned with those that
} Leak access_token through referer header; } misuse any type of OAuth credential.
We reported 95 of such cases to Facebook and Facebook responded: “We have notified and taken appropriate actions against those sites”. Only 4 out of 95 fixed their issues as of our latest test result.
Conclusion
22
SSOScan shows roughly 20% of the top ranked websites suffer from SSO vulnerabilities. Notifying vendors, or even the identity provider, are not as effective as one might expect.
SSOScan deployment opportunities:
} Integrated at identity provider app center / app store } Ensure application security by shutting down vulnerable app’s access.
} Checking-as-a-service
23
SSOScan as a web service: http://www.ssoscan.org/
Thank you!