Security Research Group
University of Virginia

SSOScan

Automatically Scanning for SSO Vulnerabilities

Automatic Scanning for SSO Vulnerabilities

SSOScan is a tool that can automatically check if your application has these vulnerabilities when integrating Facebook Single Sign-On (SSO).

Correctly integrating third-party services into web applications is challenging, and mistakes can have grave consequences when third-party services are used for security-critical tasks such as authentication and authorization. Developers often misunderstand integration requirements and make critical mistakes when integrating services such as single sign-on APIs. Since traditional programming techniques are hard to apply to programs running inside black-box web servers, we propose to detect vulnerabilities by probing behaviors of the system. This paper describes the design and implementation of SSOScan, an automatic vulnerability checker for applications using Facebook Single Sign-On (SSO) APIs. We used SSOScan to study the twenty thousand top-ranked websites for five SSO vulnerabilities. Of the 1660 sites in our study that employ Facebook SSO, over 20% were found to suffer from at least one serious vulnerability.

System Strcture

Vulnerabilities

Vulnerabilities Checked by SSOScan

Paper

Yuchen Zhou and David Evans. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities in 23rd USENIX Security Symposium, San Diego, 20-22 August 2014.

Full paper (16 pages): [PDF]
Expanded tech report (18 pages): [PDF]

Source Code

https://www.github.com/Treeeater/vulCheckerFirefox

Authors

Yuchen Zhou (University of Virginia; now at Palo Alto Networks)
David Evans (University of Virginia)

This work was supported by a grant from the National Science Foundation SaTC Program and a gift from Google.