Automatic recognition, processing and attacking of single sign-on protocols with burp suite

SAML, Mozilla BrowserID, OpenID, OpenID Connect, Facebook Connect, Microsoft Account, OAuth — today’s web applications are supporting a large set of Single Sign-On (SSO) solutions. Some of them have common properties and behavior, others are completely different. This paper will give an overview of modern SSO protocols. We classify them into two groups and show how to distinguish them from each other. We provide EsPReSSO, an open source Burpsuite plugin that identifies SSO protocols automatically in a browser’s HTTP traffic and helps penetration testers and security auditors to manipulate SSO flows easily.

[1]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[2]  Peter Deutsch,et al.  DEFLATE Compressed Data Format Specification version 1.3 , 1996, RFC.

[3]  Michael B. Jones,et al.  JSON Web Token (JWT) , 2015, RFC.

[4]  Michael B. Jones,et al.  JSON Web Signature (JWS) , 2015, RFC.

[5]  Roy T. Fielding,et al.  Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[6]  Jörg Schwenk,et al.  Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on , 2014, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  Xiaowei Li,et al.  BLOCK: a black-box approach for detection of state violation attacks towards web applications , 2011, ACSAC '11.

[8]  Jörg Schwenk,et al.  Analysis of Signature Wrapping Attacks and Countermeasures , 2009, 2009 IEEE International Conference on Web Services.

[9]  Simon Josefsson,et al.  The Base16, Base32, and Base64 Data Encodings , 2003, RFC.

[10]  Yuchen Zhou,et al.  SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities , 2014, USENIX Security Symposium.

[11]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[12]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[13]  Dan Boneh,et al.  Password Managers: Attacks and Defenses , 2014, USENIX Security Symposium.

[14]  Ralf Küsters,et al.  An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[16]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[17]  Kirstie Hawkey,et al.  Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures , 2012, Computers & security.

[18]  Michael B. Jones,et al.  JSON Web Encryption (JWE) , 2015, RFC.

[19]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[20]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[21]  Jörg Schwenk,et al.  Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud , 2014, CCSW.

[22]  Rudolf Schmid,et al.  Organization for the advancement of structured information standards , 2002 .

[23]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.