Ronghai Yang
ABSTRACT
Motivated by the prevalence of OAuth-related vulnerabilities in the wild, large-scale security testing of real-world OAuth 2.0 implementations have received increasing attention lately [31,37,42]. However, these existing works either rely on manual discovery of new vulnerabilities in OAuth 2.0 implementations or perform automated testing for specific, previously-known vulnerabilities across a large number of OAuth implementations. In this work, we propose an adaptive model-based testing framework to perform automated, large-scale security assessments for OAuth 2.0 implementations in practice. Key advantages of our approach include (1) its ability to identify existing vulnerabilities and discover new ones in an automated manner; (2) improved testing coverage as all possible execution paths within the scope of the model will be checked and (3) its ability to cater for the implementation differences of practical OAuth systems/ applications, which enables the analyst to offload the manual efforts for large-scale testing of OAuth implementations. We have designed and implemented OAuthTester to realize our proposed framework. Using OAuthTester, we examine the implementations of 4 major Identity Providers as well as 500 top-ranked US and Chinese websites which use the OAuth-based Single-Sign-On service provided by the formers. Our empirical findings demonstrate the efficacy of adaptive model-based testing on OAuth 2.0 deployments at scale. More importantly, OAuthTester not only manages to rediscover various existing vulnerabilities but also identify several previously unknown security flaws and new exploits for a large number of eal-world applications implementing OAuth 2.0.
- R. Abela. HTTP Fuzzer. acunitex.Google Scholar
- J. Antunes and N. Neves. Automatically complementing protocol specifications from network traces. In Proceedings of the 13th European Workshop on Dependable Computing. ACM, 2011. Google ScholarDigital Library
- A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. Tobarra. Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps. In Proceedings of ACM workshop on Formal methods in security engineering, 2008. Google ScholarDigital Library
- G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. AuthScan: Automatic extraction of web authentication protocols from implementations. In NDSS, 2013.Google Scholar
- C. Bansal, K. Bhargavan, and S. Maffeis. Discovering concrete attacks on website authorization by formal analysis. In CSF, 2012. Google ScholarDigital Library
- A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In CCS. ACM, 2008. Google ScholarDigital Library
- B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In S&P, 2015. Google ScholarDigital Library
- S. Chari, C. S. Jutla, and A. Roy. Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive, 2011.Google Scholar
- E. Y. Chen, S. Chen, S. Qadeer, and R. Wang. Securing multiparty online services via certification of symbolic transactions. 2015.Google Scholar
- E. Y. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. OAuth demystified for mobile application developers. In CCS. ACM, 2014. Google ScholarDigital Library
- P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Protocol specification extraction. In S&P. IEEE, 2009. Google ScholarDigital Library
- A. C. Dias Neto, R. Subramanyan, M. Vieira, and G. H. Travassos. A survey on model-based testing approaches: a systematic review. In Proceedings of ACM international workshop on Empirical assessment of software engineering languages and technologies, 2007. Google ScholarDigital Library
- A. Doupé, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security, 2012. Google ScholarDigital Library
- J. Ernits, R. Roo, J. Jacky, and M. Veanes. Model-based testing of web applications using NModel. Springer, 2009.Google ScholarDigital Library
- J. Ernits, M. Veanes, and J. Helander. Model-based testing of robots with NModel. Proc. Microsoft Research, 2008.Google Scholar
- D. Fett, R. Kusters, and G. Schmitz. An expressive model for the web infrastructure: Definition and application to the Browser ID SSO system. In S&P. IEEE, 2014. Google ScholarDigital Library
- K. Gibbons, J. O. Raw, and K. Curran. Security evaluation of the OAuth 2.0 framework. Information Management and Computer Security, 22(3), 2014.Google Scholar
- D. Hardt. RFC6749: The OAuth 2.0 authorization framework. 2012.Google Scholar
- E. Homakov. The Achilles Heel of OAuth or Why Facebook Adds Special Fragment.Google Scholar
- E. Homakov. The most common OAuth2 vulnerability. http://homakov.blogspot.hk/2012/07/saferweb-most-common-oauth2.html.Google Scholar
- P. Hu, R. Yang, Y. Li, and W. C. Lau. Application impersonation: problems of OAuth and API design in online social networks. In Proceedings of the ACM conference on Online social networks, 2014. Google ScholarDigital Library
- J. Jacky. Pymodel: Model-based testing in Python. In Proceedings of the Python for Scientific Computing Conference, 2011.Google ScholarCross Ref
- J. Jacky, M. Veanes, C. Campbell, and W. Schulte. Model-based software testing and analysis with C#. Cambridge University Press, 2007. Google ScholarDigital Library
- W. Jing. Covert redirect attack. http://tetraph.com/covert_redirect.Google Scholar
- C. Leita, K. Mermoud, and M. Dacier. ScriptGen: an automated script generation tool for honeyd. In Computer Security Applications Conference, 21st Annual. IEEE, 2005. Google ScholarDigital Library
- T. Lodderstedt, M. McGloin, and P. Hunt. RFC6819: OAuth 2.0 threat model and security considerations. 2013.Google Scholar
- G. Maatoug, F. Dadeau, and M. Rusinowitch. Model-based vulnerability testing of payment protocol implementations. In HotSpot'14-2nd Workshop on Hot Issues in Security Principles and Trust, 2014.Google Scholar
- B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. China's great cannon. Citizen Lab, 2015.Google Scholar
- M. Miculan and C. Urban. Formal analysis of Facebook Connect Single Sign-On authentication protocol. In SOFSEM, 2011.Google Scholar
- B. Muthukadan. Selinum with Python.Google Scholar
- OAuth.io. CasperJs Automated Testing for The OAuth Flow.Google Scholar
- OWASP. Fuzzing with WebScarab.Google Scholar
- S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. Formal verification of OAuth 2.0 using Alloy framework. In Communication Systems and Network Technologies (CSNT) IEEE, 2011, 2011. Google ScholarDigital Library
- G. Pellegrino and D. Balzarotti. Toward black-box detection of logic flaws in web applications. In NDSS, 2014.Google ScholarCross Ref
- C. Schulze, D. Ganesan, M. Lindvall, R. Cleaveland, and D. Goldman. Assessing model-based testing: an empirical study conducted in industry. In Companion Proceedings of the International Conference on Software Engineering. ACM, 2014. Google ScholarDigital Library
- E. Shernan, H. Carter, D. Tian, P. Traynor, and K. Butler. More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In Detection of Intrusions and Malware, and Vulnerability Assessment. 2015.Google Scholar
- S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In CCS, 2012. Google ScholarDigital Library
- S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 2012. Google ScholarDigital Library
- R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In S&P, 2012. Google ScholarDigital Library
- R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization. In USENIX Security, 2013. Google ScholarDigital Library
- L. Xing, Y. Chen, X. Wang, and S. Chen. Integuard: Toward automatic protection of third-party web service integrations. In NDSS, 2013.Google Scholar
- Y. Zhou and D. Evans. SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities. USENIX Security, 2014. Google ScholarDigital Library
Index Terms
- Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations
Recommendations
MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications SecurityMobile applications today increasingly integrate Single Sign-On (SSO) into their account management mechanisms. Unfortunately, the involved multi-party protocol, i.e., OAuth 2.0, was originally designed to serve websites for authorization purpose. Due ...
An Alternative Threat Model-based Approach for Security Testing
In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer ...
A threat model-based approach to security testing
Software security issues have been a major concern in the cyberspace community, so a great deal of research on security testing has been performed, and various security testing techniques have been developed. Threat modeling provides a systematic way to ...
Comments