Yuchen Zhou and David Evans

Presented by Simon du PreezCompsci 726

SSOScan: Automated Testing of Web Applications for Single Sign-On

Vulnerabilities

Allows a user to login with a single ID to a number of connected systems

Established internet identity (Twitter, Facebook, Google)

Extra permissions can be issued as needed by the service

Single Sign-On (SSO)

Reduces password fatigue Don’t need to remember lots of different passwords Reduces time spent re-entering passwords Lost password claims in IT goes down

Access to more with same credentials High reliance on authentication system being “up”

SSO: Benefits and Drawbacks

How it Works

1. Alice visits a web application and uses SSO

2. Alice is redirected to Identity provider

3. Alice logs into Facebook4. OAuth credentials issued

to application server5. Application server

confirms identity and authenticates the client

Code Used to exchange for an access_token Also requires applications app_secret

Access_token Represents permissions granted by the user Issued and forwarded to application at users consent

Signed_request Used to verify a user’s current login status

OAuth Credentials

Facebook tokens: User Access Tokens, App Access, Tokens, Page Access Token and Client Access Tokens

Facebook User Access Token Used to read/write Facebook data on their behalf Obtained via login dialogs Short-life (~2 hours) and long-life tokens (~60 days) Tokens are PORTABLE

Facebook Access Tokens

Implementing SSO services can be difficult

Developers make mistakes when integrating SSO APIs

Applications integrating SSO can have vulnerabilities as shown in previous papers

Motivation

Development of SSOScan Takes a website URL, determines if it uses Facebook SSO and

simulates several attacks Focus is on Facebook Two parts to SSOScan

Large scale study and investigation of vulnerabilities Top 20,000 most popular US sites

Contribution

An automatic vulnerability checker for applications using Facebook SSO

Designed for large scale testing

Consists of two main parts: enroller & vulnerability tester

In addition an oracle which determines state

SSOScan

First step: find the login button Second: login with Facebook SSO [Third]: Enter remaining details

Website is broken up into elements and analyzed Rankings to each element Clicking every element would take up far too much time

The Enroller

Different websites = different registration process

SSOScan must account for registration forms after already signing in

Registration forms filled out Radio buttons -> tick boxes -> text fields -> submit

The Enroller (2)

Determine if enroller logged a user in

Also used by vulnerability tester to check impersonation attack

Looks for anything indicating account information Name, email, profile “Welcome Alice”

The Oracle

Control is pass to the vulnerability tester

Five different types of vulnerabilities were looked for

The Vulnerability Tester

Access_tokens are not tied to a specific application

Access_token misuse

Signature of signed request is never checked using app_secret

Attack is similar to access_token misuse except you reuse signed_request as well as access_token

Signed_request misuse

App_secret is given to developer when app is registered

Should always be kept secret

Code and app_secret are used to exchange for an access token. Do this on SERVER SIDE

App_secret leak

1. Credentials intentionally put in the URL

2. Credentials present in the content From this can impersonate users

Credential Leaks

Signed_request misuse Situation described earlier – malicious website Test application “Mal” developed Alice's signed_request for Mal obtained Bob signs into target application using stolen

signed_request Success: Bob = Alice

Simulated Attacks

Referer header leak SSOScan monitors all request data

Compares each referer header to OAuth credentials

A leak is: credentials found in header for a page that contains third-party content

Passive Monitoring

20,000 websites -> 17,913 valid sites

Three days to complete 3.5 minutes per site on average

Running SSOScan

Of the 17,913 sites 1660 had Facebook SSO implementations

The more popular the website, the higher chance the website integrated Facebook SSO

39 / 1660 sites had faulty implementations Lazy programmers, SEO Purposes, incorrect

implementations

Results

202 / 1660 sites misused credentials 126 were misusing both access_token and signed_request

146 /1660 sites leaked Facebook SSO credentials

A total of 345 / 1660 had at least one of the vulnerabilities. 3 websites had both misused and leaked credentials

Results (2)

None of the sites leaked their app_secret Verified SSOScan was working Documentation warnings & increased effort

Example: Match.com

Vulnerable to signed_request replacement Impersonators had access to sensitive information

Results (3)

Two kinds of mistakes identified: Misreporting Facebook SSO

A number of test cases identified No login button – Only “My Account” button Interaction with popup window three times. Max click depth = 2 Login button ranked 4th of all elements

Evaluation: Misreporting

Vulnerabilities were simulated Confident accuracy of scan is good

A false negative is possible OAuth string is transformed or encoded

SSOScan checks for exact match

Evaluation: Vulnerability Identification

228 cases which failed registration 47 would never work anyway

Complicated registration process: CAPTCHAs etc.

Oracle Confusion: No ID information

Other: Timeouts, load loading times

Automation Failures

A single click incurs latency Important to narrow selection

Candidate rank Visibility Filter Position Registration form filter

Heuristics Evaluation

Vulnerable sites contact Most didn’t care

Facebook contacted Still didn’t care

Of total 345 vulnerable sites, 48 fixed problems Two main contributions:

SSOScan Tool Large scale testing of popular websites

Communication and Conclusion

Front end operations and traffic checked only

Methodology of vulnerability tester unclear

SSOScan only relevant for English websites

Only Facebook SSO implementation checked Possible tied to Facebook API

Criticism

Questions?