Abstract
With the prosperity of social networking, it becomes much more convenient for a user to sign onto multiple websites with a web-based single sign-on (SSO) account of an identity provider website. According to the implementation of these SSO system, we classify their patterns into two general abstract models: independent SSO model and standard SSO model. In our research, we find both models contain serious vulnerabilities in their credential exchange protocols. By examining five most famous identity provider websites (e.g. Google.com and Weibo.com) and 17 famous practical service provider websites, we confirm that these potential vulnerabilities of the abstract models can be exploited in the practical SSO systems. With testing on about 1,000 websites in the wild, we are sure that the problem that we find is widely existing in the real world. These vulnerabilities can be attributed to the lack of integrity protection of login credentials. In order to mitigate these threats, we provide an integral protection prototype which help keeping the credential in a secure environment. After finishing the designation, we implement this prototype in our laboratory environment. Furthermore, we deploy extensive experiments for illustrating the protection prototype is effective and efficient.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Juraj, S., Andreas, M., Jörg, S., Marco, K., Meiko, J.: On breaking SAML: be whoever you want to be. In: USENIX Security (2012)
Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AUTHSCAN: automatic extraction of web authentication protocols from implementations. In: NDSS (2013)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed. In: IEEE S&P (2012)
OpenID. http://openid.net/
OAuth Protocols. http://oauth.net/
Technology report SAML protocol. http://xml.coverpages.org/saml.html
SAML2.0 Wikipedia. http://en.wikipedia.org/wiki/SAML 2.0
Wang, R., Chen, S., Wang, X., Qadeer, S.: How to shop for free online security analysis of cashier-as-a-service based web stores. In: IEEE S&P (2011)
Fiddler–The free web debugging proxy. http://www.telerik.com/fiddler
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Abad, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: ACM FMSE (2008)
OAuth2.0 Authorization Framework. http://tools.ietf.org/html/rfc6749
Google Accounts Authentication and Authorization. https://developers.google.com/accounts/docs/OAuth2
OAuth2.0 documentation. http://oauth.net/documentation/
Wikipedia Tencent. http://en.wikipedia.org/wiki/Tencent
Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: IEEE CSF (2012)
Covert Redirect. http://tetraph.com/covert_redirect/
AlipayOpenAPI. https://openhome.alipay.com/doc/docIndex.htm
Google Accounts authorization and authentication Open ID 2.0 migration. https://developers.google.com/accounts/docs/OpenID?hl=en-US
Google Accounts authorization and authentication Using OAuth2.0 for login (OpenID Connect). https://developers.google.com/accounts/docs/OAuth2Login?hl=en-US
Google AuthSub. https://developers.google.com/accounts/docs/AuthSub
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: CSF (2010)
Sinaweibo, Wikipedia. http://en.wikipedia.org/wiki/SinaWeibo
Smartsheet.com, one online project management software. https://www.smartsheet.com/
Weibo openAPI. http://open.weibo.com/wiki/
Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID. http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
Taobao, Wikipedia. http://en.wikipedia.org/wiki/Taobao
AlipayWikipedia. http://en.wikipedia.org/wiki/Alibaba_Groupn#Alipay
Cross-Site Request Forgery (CSRF), The Open Web Application Security Project (OWASP). https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Sun, S.T., Beznosov. K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: ACM CCS (2012)
Cross-Site Scripting (XSS), The Open Web Application Security Project (OWASP). https://www.owasp.org/index.php/XSS
HttpOnly, The Open Web Application Security Project (OWASP). https://www.owasp.org/index.php/HttpOnly
Same Origin Policy, W3C Web Security. https://www.w3.org/Security/wiki/Same_Origin_Policy
MitmProxy, An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed. https://mitmproxy.org/
SSL Man in the Middle Proxy. http://crypto.stanford.edu/ssl-mitm/
Cloudshark Appliance. https://appliance.cloudshark.org/
SSLsplit - transparent and scalable SSL/TLS interception. https://www.roe.ch/SSLsplit
Sslsniff, A tool for automated MITM attacks on SSL connections. http://www.thoughtcrime.org/software/sslsniff/
Baidu, Wikipedia. http://en.wikipedia.org/wiki/Baidu
Zhou, Y., Evans, D.: SSOScan: automates testing of web applications for single sign on vulnerabilities. In: 23rd USENIX Security Symposium (2014)
Acknowledgement
This work is supported by the “Strategic Priority Research Program” of the Chinese Academy of Sciences, Grants No. XDA06010701, National Natural Science Foundation of China (No.61402471, 61472414, 61170280), and IIE’s Cryptography Research Project. Thanks to Wei Yang for helping recording the experiments. Thanks to a number of anonymous reviewers and Prof. Jian Liu who gave us very useful feedback on a previous version of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Li, M., Yang, L., Yuan, Z., Zhang, R., Xue, R. (2016). An Approach for Mitigating Potential Threats in Practical SSO Systems. In: Lin, D., Wang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2015. Lecture Notes in Computer Science(), vol 9589. Springer, Cham. https://doi.org/10.1007/978-3-319-38898-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-38898-4_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-38897-7
Online ISBN: 978-3-319-38898-4
eBook Packages: Computer ScienceComputer Science (R0)