SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities

Yuchen Zhou David Evans

http://www.ssoscan.org/ 1

123456

Single Sign-On Service

2

Single Sign-On Workflow

3

Identity Provider (e.g., Facebook)

Integrator (e.g., espn.com)

Redirect

Visit

OAuth Credentials

Confirm Credentials

Authenticated

Login

Verify login and issue credentials

User (Web Client)

Integrating SSO services

4

SSO SDKs are designed for developers with little or no security expertise. The secure integration depends on understanding important security requirements.

Credential Misuse

5

1. Visit

3. Issue credentials

4. Forward credentials

5. Reuse credentials

6. Authenticated

Facebook User

Mallory Foo app server

2. Login

Happens when the application fails to verify: •  The application ID to which the access_token was issued

•  The signature of signed_request credential

Credential Leakage

6

Third Party

Resource

GET https://cdn.optimizely.com/js/242559767.js HTTP/1.1 Host: cdn.optimizely.com … Referer: https://www.dealchicken.com/Login?access_token=CAABhCKz13vUBAGaNPlN9fu0dnPvoceu46ScHXELkpEOOmLCTk3iFnJHGjWEZAxOJFcYf4wxVWv1MejzvT3K4arpWmAjAZCoOeuECQcnDRt82nUeBdA5ACVpoJyM6J3KzKvZA1ZBWKsFVEIBIZAntEkmDbXaN7IlaC8lQK9G9PE1XLg0kLoqG8ObRhy7BIHfUs9cNWGZBLV6fMhN0WIgdde&expires_in=6493&fb_uid=100003929906137&ReturnUrl=https%3A%2F%2Fwww.dealchicken.com%2Flogin%3FReturnUrl%3D%252f

7

SSOScan

http://www.answers.com/

http://www.espn.go.com/

http://www.pinterest.com/ http://www.huffingtonpost.com/

http://www.imgur.com/ http://www.wsj.com/

http://www.ask.com/ http://www.ohours.org/

Vulnerability status:

Credential misuse Credential leakage

SSOScan Components

8

Vulnerability Tester

Oracle

Enroller •  Button Finder •  IdP login automation •  Registration automation

•  Simulate attacks •  Monitor traffic & response

Enroller

Oracle

Vulnerability Tester

•  Verify enrollment success •  Confirm session identity

Enroller: Button Finder

9

Button finder: Location

10

1

Button finder: Location

11

2

Button finder: Location

12

Second Click, False Positive Second Click, True Positive

First Click, True Positive Second Click, True Positive

Registration Automation

13

Oracle

14

Evaluation

15

Not Vulnerable 57.4%

Buggy 2.3%

No Facebook SSO, 90.7%

Facebook SSO, 9.3%

Misuse cred 12.1%

1,660 Sites using Facebook SSO

Leak cred 8.6%

Test failed 20.0%

20.3% sites have at least one vulnerability

Valid top US ranked sites (17, 913)

Dataset: Top-ranked 20,000 US sites1 excluding hidden sites, DNS errors and timeouts.

1: According to Quantcast

Example vulnerable cases

16

Credential Misuse – signed_request:

Credential Misuse – both: Credential Leakage:

: Both vulnerabilities fixed as of now

0%  

5%  

10%  

15%  

20%  

25%  

30%  

35%  

40%  

45%  

Facebook SSO support % vs. site ranking

More popular sites tend to include Facebook SSO more.

17

Site rank (each bin contains 179 sites, 1% of the total tested)

1 10 20 30 40 50 60 70 80 90 100

More popular Less popular

% S

uppo

rtin

g Fa

cebo

ok S

SO

0%

10%

20%

30%

40%

50%

60%

70%

% V

ulne

rabl

e Vulnerable sites % vs. sites ranking

1 10 20 30 40 50 60 70 80 90 100

18

*

*: no Facebook SSO supported sites

Site rank (each bin contains 179 sites, 1% of the total tested)

More popular Less popular

Higher-profile sites do not seem to have better security practices (SSO integration).

Integration methods

19

SDK:

Widget:

Custom code: Anything else

<iframe name="1394305783460" frameborder="0" …></iframe>

<script src="//connect.facebook.net/en_US/all.js" type="text/javascript"></script>

Method Number Misuse vul Leakage vul

SDK 578 29.1% 3.6%

Widget 132 15.5% 2.2%

Custom 950 1.3% 12.4%

All 1660 12.1% 8.6%

Responses from vendors 20 vendors contacted.

}  Only got 8 responses }  3 of 8 responded after initial (automated) response }  After 3 months, one site removed Facebook SSO from their

site: ehow.com

Through a personal connection, we reached another vendor .

}  After first fix, vulnerability still exists }  Second fix solved all issues

20

Response from Facebook

21

We contacted Facebook on May 2014 regarding the vulnerable websites. Facebook is more concerned with those that

}  Leak access_token through referer header; }  misuse any type of OAuth credential.

We reported 95 of such cases to Facebook and Facebook responded: “We have notified and taken appropriate actions against those sites”. Only 4 out of 95 fixed their issues as of our latest test result.

Conclusion

22

SSOScan shows roughly 20% of the top ranked websites suffer from SSO vulnerabilities. Notifying vendors, or even the identity provider, are not as effective as one might expect.

SSOScan deployment opportunities:

}  Integrated at identity provider app center / app store }  Ensure application security by shutting down vulnerable app’s access.

}  Checking-as-a-service

23

SSOScan as a web service: http://www.ssoscan.org/

Thank you!