research-article

Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud

Authors:

Christian Mainka,

Vladislav Mladenov,

Florian Feldmann,

Julian Krautwald,

Jörg SchwenkAuthors Info & Claims

CCSW '14: Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security

Pages 93 - 104

https://doi.org/10.1145/2664168.2664172

Published: 07 November 2014 Publication History

Abstract

Software-as-a-Service (SaaS) is typically defined as a rental model for using a complex software product, running on a centralized computing platform, using a thin client (most frequently a web browser). As such, it is one of the major categories of Cloud Computing, besides IaaS and PaaS.

While there are many economic benefits in using SaaS, each company must nevertheless enforce control over its own data processed in the Cloud. One of the most important building blocks of such an enforcement scheme is idM, whereat the industry standard for idM is SAML, the Security Assertion Markup Language.

In this paper, we study the security of the SAML implementations of 22 CPs and show that 90% of them can be broken, resulting in company data exposure to attackers on the Internet. The detected vulnerabilities are exploited by a wide variety of attack techniques, ranging from classical web attacks to problems specific to XML processing.

References

[1]

Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo Pellegrino, and Alessandro Sorniotti. From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure? In SEC, pages 68--79, 2011.

[2]

Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuéllar, and M. Llanos Tobarra. Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE 2008, pages 1--10, Alexandria and VA and USA, 2008. ACM.

Digital Library

[3]

Armando, Alessandro and Carbone, Roberto and Compagna, Luca and Cuéllar, Jorge and Tobarra, M. Llanos. SAML: CVE-2008--3891. http://www.cvedetails.com, September 2008.

[4]

Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. AUTHSCAN: Automatic extraction of web authentication protocols from implementations. NDSS, February, 2013.

[5]

A. Barth. HTTP State Management Mechanism. RFC 6265 (Proposed Standard), April 2011.

[6]

Bitium. Bitium Partners, 2014. {online} https://www.bitium.com/site/apps/.

[7]

Scott Cantor, John Kemp, Rob Philpott, and Eve Maler. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, 15.03.2005, 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf.

[8]

Yuen-Yan Chan. Weakest Link Attack on Single Sign-On and Its Case in SAML V2.0 Web SSO. In Computational Science and Its Applications - ICCSA 2006, volume 3982 of Lecture Notes in Computer Science, pages 507--516. Springer Berlin Heidelberg, 2006.

Digital Library

[9]

Clarizen. Clarizen - The way to work, 2014. {online} http://www.clarizen.com/.

[10]

CloudReviews. CloudReviews, 2014. {online} http://www.cloudreviews.com/cat/apps.html.

[11]

Andreas Falkenberg, Christian Mainka, Juraj Somorovsky, and Jorg Schwenk. A New Approach towards DoS Penetration Testing on Web Services. 2013 IEEE 20th International Conference on Web Services, 0:491--498, 2013.

Digital Library

[12]

T. Groß. Security analysis of the SAML Single Sign-on Browser/Artifact profile. In Annual Computer Security Applications Conference. IEEE Computer Society, 2003.

Digital Library

[13]

Thomas Groß and Birgit Pfitzmann. SAML artifact information flow revisited. Research Report RZ 3643 (99653), IBM Research, 2006. http://www.zurich.ibm. com/security/publications/2006.html.

[14]

Frederick Hirsch, David Solo, Joseph Reagle, Donald Eastlake, and Thomas Roessler. XML Signature Syntax and Processing (Second Edition). W3C recommendation, W3C, June 2008.

[15]

ideascale. ideascale, 2014. {online} http://ideascale.com/.

[16]

Instructure. Canvas, 2014. {online} http://www.instructure.com/.

[17]

Michael Kay. XSL Transformations (XSLT) Version 2.0 (Second Edition). W3C proposed edited recommendation, W3C, April 2009. http://www.w3.org/TR/2009/PER-xslt20--20090421/.

[18]

Michael McIntosh and Paula Austel. XML signature element wrapping attacks and countermeasures. In SWS '05: Proceedings of the 2005 Workshop on Secure Web Services, pages 20--27, New York, NY, USA, 2005. ACM Press.

Digital Library

[19]

Peter M. Mell and Timothy Grance. SP 800--145. The NIST Definition of Cloud Computing. Technical report, Gaithersburg, MD, United States, 2011.

Digital Library

[20]

Timothy D. Morgan and Omar Al Ibrahim. XML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques. 2014.

[21]

Ruhsan Onder and Zeki Bayram. XSLT version 2.0 is turing-complete: A purely transformation based proof. In Implementation and Application of Automata, pages 275--276. Springer, 2006.

Digital Library

[22]

OneLogin. OneLogin Partners, 2014. {online} http://www.onelogin.com/partners/app-partners/.

[23]

OWASP Foundation. Cross-Site Request Forgery (CSRF). https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF), 2013. {online} https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).

[24]

Birgit Pfitzmann and Michael Waidner. Analysis of Liberty Single-Sign-on with Enabled Clients. IEEE Internet Computing, 7(6):38--44, 2003.

Digital Library

[25]

S. Cantor et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, March 2005.

[26]

S. Cantor et al. Security and Privacy Considerations for the OASIS Security Assertion Markup. Language (SAML) V2.0, March 2005.

[27]

Kalayan Sudia Santosh Bulusu. AStudy on Cloud Computing Security Challenges. Master's thesis, School of Computing Blekinge Institute of Technology SE-371 79 Karlskrona Sweden, January 2012.

[28]

Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, and Luigi Lo Iacono. All Your Clouds are Belong to us -- Security Analysis of Cloud Management Interfaces. In The ACM Cloud Computing Security Workshop (CCSW), October 2011.

Digital Library

[29]

Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, and Meiko Jensen. On breaking saml: Be whoever you want to be. In 21st USENIX Security Symposium, Bellevue, WA, August 2012.

Digital Library

[30]

C. M. Sperberg-McQueen, Henry S. Thompson, Murray Maloney, Henry S. Thompson, David Beech, Noah Mendelsohn, and Shudi (Sandy) Gao. W3C XML Schema Definition Language (XSD) 1.1 Part 1: Structures. Last call WD, W3C, December 2009.

[31]

San-Tsai Sun and Konstantin Beznosov. The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pages 378--390, New York, NY, USA, 2012. ACM.

Digital Library

[32]

Talking Cloud. Top 100 Cloud Services Providers (CSPs) List And Research, 2014. {online} http://talkincloud.com/tc100.

[33]

The authors of the paper. Instructure Advisory IAC00722 - SAML Ruby gem vulnerability. https://help.instructure.com/entries/46981014-Instructure-Advisory-IAC00722-SAML-Ruby-gem-vulnerability, Feb 2014.

[34]

The authors of the paper. Multiple CVEs: VU 190556, VRF HXR9YUNY,VRF HXRAH4O0,VU 774084,VRF HXRAND04. Not published yet, 2014.

[35]

The authors of the paper. Responsible Disclosure Policy, Contributors. http://www.zendesk.com/company/responsible-disclosurepolicy, Feb 2014.

[36]

The authors of the paper. SAML attacks on Canvas interface. https://help.instructure.com/entries/26920510-Instructure-Advisory-IAC44584-SAML-Signature-Wrapping, Feb 2014.

[37]

The authors of the paper. SAML attacks on Clarizen interface. http://www.clarizen.com/security-log.html, Feb 2014.

[38]

TimeOffManager. TimeOffManager, 2014.

[39]

Rui Wang, Shuo Chen, and XiaoFeng Wang. Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In IEEE, editor, Security & Privacy 2012, 2012.

Digital Library

[40]

Wikipedia. Cloud computing providers, 2014. {online} http://en.wikipedia.org/wiki/Category: Cloud_computing_providers.

[41]

Luyi Xing, Yangyi Chen, XiaoFeng Wang, and Shuo Chen. InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations. In NDSS, 2013.

[42]

David Evans Yuchen Zhou. Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, August 2014. USENIX Association.

Digital Library

[43]

Zendesk. Zendesk, 2014. {online} http://zendesk.com/.

[44]

Zoho. Zoho, 2014. {online} http://www.zoho.com/.

[45]

Gavin Zuchlinski. The Anatomy of Cross Site Scripting. Hitchhiker's World, 8, 2003.

Cited By

Jannett LMainka CWesters MMayer AWich TMladenov V(2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00018
Paier MVan Eeden RMiculan M(2024)Formal Analysis of Multi-Factor Authentication Schemes in Digital Identity CardsSoftware Engineering and Formal Methods10.1007/978-3-031-77382-2_24(423-440)Online publication date: 26-Nov-2024
https://doi.org/10.1007/978-3-031-77382-2_24
Rohlmann SMladenov VMainka CHirschberger DSchwenk JCalandrino JTroncoso C(2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620652
Show More Cited By

Index Terms

Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud
1. Security and privacy
  1. Network security

Recommendations

A Pattern for Software-as-a-Service in Clouds
BIOMEDCOM '12: Proceedings of the 2012 ASE/IEEE International Conference on BioMedical Computing

The three primary types of cloud computing services are Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). IaaS delivers computer infrastructure including servers, storage and network. PaaS offers the ...
Engineering multi-tenant software-as-a-service systems
PESOS '11: Proceedings of the 3rd International Workshop on Principles of Engineering Service-Oriented Systems

Increasingly, Software-as-a-Service (SaaS) is becoming a dominant mechanism for the consumption of software by end users. From a vendor's perspective, the benefits of SaaS arise from leveraging economies of scale, by serving a large number of customers (...
Pricing as a Service: Personalized Pricing Strategy in Cloud Computing
CIT '12: Proceedings of the 2012 IEEE 12th International Conference on Computer and Information Technology

Cloud computing is emerging as a model in support of "everything-as-a-service". Virtualized physical resources, virtualized infrastructure, as well as virtualized middleware platforms and business applications are being provided and consumed as services ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCSW '14: Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security

November 2014

160 pages

ISBN:9781450332392

DOI:10.1145/2664168

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Alina Oprea
RSA Laboratories, USA
,
Reihaneh Safavi-Naini
University of Calgary, Canada

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium fur Wirtschaft und Technologie
This work has been funded by the European Union within the European Regional Development Fund program.

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCSW '14 Paper Acceptance Rate 12 of 36 submissions, 33%;

Overall Acceptance Rate 37 of 108 submissions, 34%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
506
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)1

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jannett LMainka CWesters MMayer AWich TMladenov V(2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00018
Paier MVan Eeden RMiculan M(2024)Formal Analysis of Multi-Factor Authentication Schemes in Digital Identity CardsSoftware Engineering and Formal Methods10.1007/978-3-031-77382-2_24(423-440)Online publication date: 26-Nov-2024
https://doi.org/10.1007/978-3-031-77382-2_24
Rohlmann SMladenov VMainka CHirschberger DSchwenk JCalandrino JTroncoso C(2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620652
Engelbertz NErinola NHerring DSomorovsky JMladenov VSchwenk JRossow CYounan Y(2018)Security analysis of eIDAS - the cross-country authentication scheme in europeProceedings of the 12th USENIX Conference on Offensive Technologies10.5555/3307423.3307438(15-15)Online publication date: 13-Aug-2018
https://dl.acm.org/doi/10.5555/3307423.3307438
Panda SMondal S(2018)drPass: A Dynamic and Reusable Password Generator ProtocolInformation Systems Security10.1007/978-3-030-05171-6_21(407-426)Online publication date: 5-Dec-2018
https://doi.org/10.1007/978-3-030-05171-6_21
Mainka CMladenov VSchwenk JWich T(2017)SoK: Single Sign-On Security — An Evaluation of OpenID Connect2017 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2017.32(251-266)Online publication date: Apr-2017
https://doi.org/10.1109/EuroSP.2017.32
Sanchez-Gomez ADiaz JHernandez-Encinas LArroyo D(2017)Review of the Main Security Threats and Challenges in Free-Access Public Cloud Storage ServersComputer and Network Security Essentials10.1007/978-3-319-58424-9_15(263-281)Online publication date: 13-Aug-2017
https://doi.org/10.1007/978-3-319-58424-9_15
Simpson SGroß T(2017)A Survey of Security Analysis in Federated Identity ManagementPrivacy and Identity Management. Facing up to Next Steps10.1007/978-3-319-55783-0_16(231-247)Online publication date: 1-Apr-2017
https://doi.org/10.1007/978-3-319-55783-0_16
Di Pietro RLombardi FSignorini M(2016)Assessment and Authorization in Private Cloud SecuritySecurity in the Private Cloud10.1201/9781315372211-18(271-285)Online publication date: 12-Oct-2016
https://doi.org/10.1201/9781315372211-18
Kupser DMainka CSchwenk JSomorovsky J(2015)How to break XML encryption – automaticallyProceedings of the 9th USENIX Conference on Offensive Technologies10.5555/2831211.2831222(11-11)Online publication date: 10-Aug-2015
https://dl.acm.org/doi/10.5555/2831211.2831222

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten