149 research outputs found
Recommended from our members
Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks
Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On
Single Sign-On (SSO) systems simplify login procedures by using an an
Identity Provider (IdP) to issue authentication tokens which can be consumed by
Service Providers (SPs). Traditionally, IdPs are modeled as trusted third
parties. This is reasonable for SSO systems like Kerberos, MS Passport and
SAML, where each SP explicitely specifies which IdP he trusts. However, in open
systems like OpenID and OpenID Connect, each user may set up his own IdP, and a
discovery phase is added to the protocol flow. Thus it is easy for an attacker
to set up its own IdP. In this paper we use a novel approach for analyzing SSO
authentication schemes by introducing a malicious IdP. With this approach we
evaluate one of the most popular and widely deployed SSO protocols - OpenID. We
found four novel attack classes on OpenID, which were not covered by previous
research, and show their applicability to real-life implementations. As a
result, we were able to compromise 11 out of 16 existing OpenID implementations
like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks
in a open source tool OpenID Attacker, which additionally allows fine-granular
testing of all parameters in OpenID implementations. Our research helps to
better understand the message flow in the OpenID protocol, trust assumptions in
the different components of the system, and implementation issues in OpenID
components. It is applicable to other SSO systems like OpenID Connect and SAML.
All OpenID implementations have been informed about their vulnerabilities and
we supported them in fixing the issues
Analysing the Security of Google's implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to
relying party (RP) websites supporting the Google OpenID Connect service.
OpenID Connect, a newly standardised single-sign-on protocol, builds an
identity layer on top of the OAuth 2.0 protocol, which has itself been widely
adopted to support identity management services. It adds identity management
functionality to the OAuth 2.0 system and allows an RP to obtain assurances
regarding the authenticity of an end user. A number of authors have analysed
the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in
practice remains an open question. We report on a large-scale practical study
of Google's implementation of OpenID Connect, involving forensic examination of
103 RP websites which support its use for sign-in. Our study reveals serious
vulnerabilities of a number of types, all of which allow an attacker to log in
to an RP website as a victim user. Further examination suggests that these
vulnerabilities are caused by a combination of Google's design of its OpenID
Connect service and RP developers making design decisions which sacrifice
security for simplicity of implementation. We also give practical
recommendations for both RPs and OPs to help improve the security of real world
OpenID Connect systems
"Sign in with ... Privacy'': Timely Disclosure of Privacy Differences among Web SSO Login Options
The number of login options on web sites has increased since the introduction
of web single sign-on (SSO) protocols. Web SSO services allow users to grant
web sites or relying parties (RPs) access to their personal profile information
from identity provider (IdP) accounts. Many RP sites do not provide sufficient
privacy information that could help users make informed login decisions.
Moreover, privacy differences in permission requests across login options are
largely hidden from users and are time-consuming to manually extract and
compare. In this paper, we present an empirical analysis of popular RP
implementations supporting three major IdP login options (Facebook, Google, and
Apple) and categorize RPs in the top 500 sites into four client-side code
patterns. Informed by these RP patterns, we design and implement SSOPrivateEye
(SPEye), a browser extension prototype that extracts and displays to users
permission request information from SSO login options in RPs covering the three
IdPs
Automated Security Testing for Identity Management of Large-scale Digital Infrastructures
Ensuring the security of an organization's digital assets against cyber threats is critical in today's technology-driven world. Regular security testing is one of the measures that can help assess the effectiveness of security controls, identify vulnerabilities, and strengthen the overall cybersecurity posture. Identity Management (IdM) protocols such as Security Assertion Markup Language 2.0, OpenID Connect, and OAuth 2.0 play a crucial role in protecting against identity theft, fraud, and security breaches. Also, following the Best Current Practices introduced by the standards to enhance the security of IdM protocols is essential to minimize the risk of unauthorized access, data breaches, and other security threats and to maintain compliance with regulatory requirements, and build trust with users and stakeholders. However, deploying these protocols can be challenging due to the complexity in designing, developing and implementing cryptographic mechanisms. The implementation of IdM protocols encounters three significant obstacles: fragmented security information, rapidly evolving threat environment, and the need for a controlled testing environment. Security testers must stay up-to-date with emerging threats and establish an appropriate testing infrastructure to guarantee the security and robustness of IdM implementations, while also minimizing the possibility of security incidents that could adversely affect operations. Automated security testing plays a crucial role in addressing security concerns, particularly as the intricate functional aspects of IdM solutions contribute to their complexity. It is essential to prioritize automation to bridge the cybersecurity skills gap among IT professionals.
In this thesis, we propose Micro-Id-Gym (MIG), a framework that offers (i) an easy way to configure and reproduce the IdM production environment in a sandbox, allowing hands-on experiences with potentially impactful security tests that may winder availability of services and (ii) automatic security testing of IdM implementations together with suggestions for mitigations to avoid identified vulnerabilities. MIG provides a set of security testing tools for creating, executing, and analyzing security test cases through MIG-L, a declarative test specification language. We have evaluated the effectiveness of MIG by conducting experiments to assess the accuracy in supporting detection of relevant vulnerabilities in the implementation of IdM protocols. We utilized MIG to conduct security analyses across various corporate scenarios and projects, identifying vulnerabilities and responsibly disclosing them through bug bounty programs. Our findings were recognized by the providers, who awarded us both monetary compensation and public recognition. Overall, MIG can help organizations establish a robust and agile security testing strategy, supported by suitable infrastructure and testing procedures, that can ensure the security and resilience of their IdM implementations
- …