Skip to main content
SpringerLink
Log in

An Approach for Mitigating Potential Threats in Practical SSO Systems

  • Conference paper
  • First Online:
Information Security and Cryptology (Inscrypt 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9589))

Included in the following conference series:

  • 838 Accesses

Abstract

With the prosperity of social networking, it becomes much more convenient for a user to sign onto multiple websites with a web-based single sign-on (SSO) account of an identity provider website. According to the implementation of these SSO system, we classify their patterns into two general abstract models: independent SSO model and standard SSO model. In our research, we find both models contain serious vulnerabilities in their credential exchange protocols. By examining five most famous identity provider websites (e.g. Google.com and Weibo.com) and 17 famous practical service provider websites, we confirm that these potential vulnerabilities of the abstract models can be exploited in the practical SSO systems. With testing on about 1,000 websites in the wild, we are sure that the problem that we find is widely existing in the real world. These vulnerabilities can be attributed to the lack of integrity protection of login credentials. In order to mitigate these threats, we provide an integral protection prototype which help keeping the credential in a secure environment. After finishing the designation, we implement this prototype in our laboratory environment. Furthermore, we deploy extensive experiments for illustrating the protection prototype is effective and efficient.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Juraj, S., Andreas, M., Jörg, S., Marco, K., Meiko, J.: On breaking SAML: be whoever you want to be. In: USENIX Security (2012)

    Google Scholar 

  2. Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AUTHSCAN: automatic extraction of web authentication protocols from implementations. In: NDSS (2013)

    Google Scholar 

  3. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed. In: IEEE S&P (2012)

    Google Scholar 

  4. OpenID. http://openid.net/

  5. OAuth Protocols. http://oauth.net/

  6. Technology report SAML protocol. http://xml.coverpages.org/saml.html

  7. SAML2.0 Wikipedia. http://en.wikipedia.org/wiki/SAML 2.0

  8. Wang, R., Chen, S., Wang, X., Qadeer, S.: How to shop for free online security analysis of cashier-as-a-service based web stores. In: IEEE S&P (2011)

    Google Scholar 

  9. Fiddler–The free web debugging proxy. http://www.telerik.com/fiddler

  10. Armando, A., Carbone, R., Compagna, L., Cuellar, J., Abad, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: ACM FMSE (2008)

    Google Scholar 

  11. OAuth2.0 Authorization Framework. http://tools.ietf.org/html/rfc6749

  12. Google Accounts Authentication and Authorization. https://developers.google.com/accounts/docs/OAuth2

  13. OAuth2.0 documentation. http://oauth.net/documentation/

  14. Wikipedia Tencent. http://en.wikipedia.org/wiki/Tencent

  15. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: IEEE CSF (2012)

    Google Scholar 

  16. Covert Redirect. http://tetraph.com/covert_redirect/

  17. AlipayOpenAPI. https://openhome.alipay.com/doc/docIndex.htm

  18. Google Accounts authorization and authentication Open ID 2.0 migration. https://developers.google.com/accounts/docs/OpenID?hl=en-US

  19. Google Accounts authorization and authentication Using OAuth2.0 for login (OpenID Connect). https://developers.google.com/accounts/docs/OAuth2Login?hl=en-US

  20. Google AuthSub. https://developers.google.com/accounts/docs/AuthSub

  21. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: CSF (2010)

    Google Scholar 

  22. Sinaweibo, Wikipedia. http://en.wikipedia.org/wiki/SinaWeibo

  23. Smartsheet.com, one online project management software. https://www.smartsheet.com/

  24. Weibo openAPI. http://open.weibo.com/wiki/

  25. Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID. http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

  26. Taobao, Wikipedia. http://en.wikipedia.org/wiki/Taobao

  27. AlipayWikipedia. http://en.wikipedia.org/wiki/Alibaba_Groupn#Alipay

  28. Cross-Site Request Forgery (CSRF), The Open Web Application Security Project (OWASP). https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

  29. Sun, S.T., Beznosov. K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: ACM CCS (2012)

    Google Scholar 

  30. Cross-Site Scripting (XSS), The Open Web Application Security Project (OWASP). https://www.owasp.org/index.php/XSS

  31. HttpOnly, The Open Web Application Security Project (OWASP). https://www.owasp.org/index.php/HttpOnly

  32. Same Origin Policy, W3C Web Security. https://www.w3.org/Security/wiki/Same_Origin_Policy

  33. MitmProxy, An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed. https://mitmproxy.org/

  34. SSL Man in the Middle Proxy. http://crypto.stanford.edu/ssl-mitm/

  35. Cloudshark Appliance. https://appliance.cloudshark.org/

  36. SSLsplit - transparent and scalable SSL/TLS interception. https://www.roe.ch/SSLsplit

  37. Sslsniff, A tool for automated MITM attacks on SSL connections. http://www.thoughtcrime.org/software/sslsniff/

  38. Baidu, Wikipedia. http://en.wikipedia.org/wiki/Baidu

  39. Zhou, Y., Evans, D.: SSOScan: automates testing of web applications for single sign on vulnerabilities. In: 23rd USENIX Security Symposium (2014)

    Google Scholar 

Download references

Acknowledgement

This work is supported by the “Strategic Priority Research Program” of the Chinese Academy of Sciences, Grants No. XDA06010701, National Natural Science Foundation of China (No.61402471, 61472414, 61170280), and IIE’s Cryptography Research Project. Thanks to Wei Yang for helping recording the experiments. Thanks to a number of anonymous reviewers and Prof. Jian Liu who gave us very useful feedback on a previous version of this paper.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Menghao Li, Liang Yang, Zimu Yuan, Rui Zhang & Rui Xue

  2. University of Chinese Academy of Sciences, Beijing, China

    Menghao Li

  3. School of Information Engineering, Tianjin University of Commerce, Tianjin, China

    Liang Yang

Authors
  1. Menghao Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liang Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zimu Yuan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rui Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rui Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zimu Yuan .

Editor information

Editors and Affiliations

  1. Chinese Academy of Sciences, SKLOIS Institute of Engineering, Beijing, China

    Dongdai Lin

  2. Center for Security Informatics, Indiana University at Bloomington, Indiana, USA

    XiaoFeng Wang

  3. Computer Science, Columbia University, New York, New York, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Li, M., Yang, L., Yuan, Z., Zhang, R., Xue, R. (2016). An Approach for Mitigating Potential Threats in Practical SSO Systems. In: Lin, D., Wang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2015. Lecture Notes in Computer Science(), vol 9589. Springer, Cham. https://doi.org/10.1007/978-3-319-38898-4_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-38898-4_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-38897-7

  • Online ISBN: 978-3-319-38898-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation