research-article

Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations

Authors:

Wing Cheong Lau,

Pili HuAuthors Info & Claims

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Pages 651 - 662

https://doi.org/10.1145/2897845.2897874

Published: 30 May 2016 Publication History

Abstract

Motivated by the prevalence of OAuth-related vulnerabilities in the wild, large-scale security testing of real-world OAuth 2.0 implementations have received increasing attention lately [31,37,42]. However, these existing works either rely on manual discovery of new vulnerabilities in OAuth 2.0 implementations or perform automated testing for specific, previously-known vulnerabilities across a large number of OAuth implementations. In this work, we propose an adaptive model-based testing framework to perform automated, large-scale security assessments for OAuth 2.0 implementations in practice. Key advantages of our approach include (1) its ability to identify existing vulnerabilities and discover new ones in an automated manner; (2) improved testing coverage as all possible execution paths within the scope of the model will be checked and (3) its ability to cater for the implementation differences of practical OAuth systems/ applications, which enables the analyst to offload the manual efforts for large-scale testing of OAuth implementations. We have designed and implemented OAuthTester to realize our proposed framework. Using OAuthTester, we examine the implementations of 4 major Identity Providers as well as 500 top-ranked US and Chinese websites which use the OAuth-based Single-Sign-On service provided by the formers. Our empirical findings demonstrate the efficacy of adaptive model-based testing on OAuth 2.0 deployments at scale. More importantly, OAuthTester not only manages to rediscover various existing vulnerabilities but also identify several previously unknown security flaws and new exploits for a large number of eal-world applications implementing OAuth 2.0.

References

[1]

R. Abela. HTTP Fuzzer. acunitex.

[2]

J. Antunes and N. Neves. Automatically complementing protocol specifications from network traces. In Proceedings of the 13th European Workshop on Dependable Computing. ACM, 2011.

Digital Library

[3]

A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. Tobarra. Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps. In Proceedings of ACM workshop on Formal methods in security engineering, 2008.

Digital Library

[4]

G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. AuthScan: Automatic extraction of web authentication protocols from implementations. In NDSS, 2013.

[5]

C. Bansal, K. Bhargavan, and S. Maffeis. Discovering concrete attacks on website authorization by formal analysis. In CSF, 2012.

Digital Library

[6]

A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In CCS. ACM, 2008.

Digital Library

[7]

B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In S&P, 2015.

Digital Library

[8]

S. Chari, C. S. Jutla, and A. Roy. Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive, 2011.

[9]

E. Y. Chen, S. Chen, S. Qadeer, and R. Wang. Securing multiparty online services via certification of symbolic transactions. 2015.

[10]

E. Y. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. OAuth demystified for mobile application developers. In CCS. ACM, 2014.

Digital Library

[11]

P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Protocol specification extraction. In S&P. IEEE, 2009.

Digital Library

[12]

A. C. Dias Neto, R. Subramanyan, M. Vieira, and G. H. Travassos. A survey on model-based testing approaches: a systematic review. In Proceedings of ACM international workshop on Empirical assessment of software engineering languages and technologies, 2007.

Digital Library

[13]

A. Doupé, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security, 2012.

Digital Library

[14]

J. Ernits, R. Roo, J. Jacky, and M. Veanes. Model-based testing of web applications using NModel. Springer, 2009.

Digital Library

[15]

J. Ernits, M. Veanes, and J. Helander. Model-based testing of robots with NModel. Proc. Microsoft Research, 2008.

[16]

D. Fett, R. Kusters, and G. Schmitz. An expressive model for the web infrastructure: Definition and application to the Browser ID SSO system. In S&P. IEEE, 2014.

Digital Library

[17]

K. Gibbons, J. O. Raw, and K. Curran. Security evaluation of the OAuth 2.0 framework. Information Management and Computer Security, 22(3), 2014.

[18]

D. Hardt. RFC6749: The OAuth 2.0 authorization framework. 2012.

[19]

E. Homakov. The Achilles Heel of OAuth or Why Facebook Adds Special Fragment.

[20]

E. Homakov. The most common OAuth2 vulnerability. http://homakov.blogspot.hk/2012/07/saferweb-most-common-oauth2.html.

[21]

P. Hu, R. Yang, Y. Li, and W. C. Lau. Application impersonation: problems of OAuth and API design in online social networks. In Proceedings of the ACM conference on Online social networks, 2014.

Digital Library

[22]

J. Jacky. Pymodel: Model-based testing in Python. In Proceedings of the Python for Scientific Computing Conference, 2011.

[23]

J. Jacky, M. Veanes, C. Campbell, and W. Schulte. Model-based software testing and analysis with C#. Cambridge University Press, 2007.

Digital Library

[24]

W. Jing. Covert redirect attack. http://tetraph.com/covert_redirect.

[25]

C. Leita, K. Mermoud, and M. Dacier. ScriptGen: an automated script generation tool for honeyd. In Computer Security Applications Conference, 21st Annual. IEEE, 2005.

Digital Library

[26]

T. Lodderstedt, M. McGloin, and P. Hunt. RFC6819: OAuth 2.0 threat model and security considerations. 2013.

[27]

G. Maatoug, F. Dadeau, and M. Rusinowitch. Model-based vulnerability testing of payment protocol implementations. In HotSpot'14-2nd Workshop on Hot Issues in Security Principles and Trust, 2014.

[28]

B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. China's great cannon. Citizen Lab, 2015.

[29]

M. Miculan and C. Urban. Formal analysis of Facebook Connect Single Sign-On authentication protocol. In SOFSEM, 2011.

[30]

B. Muthukadan. Selinum with Python.

[31]

OAuth.io. CasperJs Automated Testing for The OAuth Flow.

[32]

OWASP. Fuzzing with WebScarab.

[33]

S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. Formal verification of OAuth 2.0 using Alloy framework. In Communication Systems and Network Technologies (CSNT) IEEE, 2011, 2011.

Digital Library

[34]

G. Pellegrino and D. Balzarotti. Toward black-box detection of logic flaws in web applications. In NDSS, 2014.

[35]

C. Schulze, D. Ganesan, M. Lindvall, R. Cleaveland, and D. Goldman. Assessing model-based testing: an empirical study conducted in industry. In Companion Proceedings of the International Conference on Software Engineering. ACM, 2014.

Digital Library

[36]

E. Shernan, H. Carter, D. Tian, P. Traynor, and K. Butler. More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In Detection of Intrusions and Malware, and Vulnerability Assessment. 2015.

[37]

S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In CCS, 2012.

Digital Library

[38]

S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 2012.

Digital Library

[39]

R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In S&P, 2012.

Digital Library

[40]

R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization. In USENIX Security, 2013.

Digital Library

[41]

L. Xing, Y. Chen, X. Wang, and S. Chen. Integuard: Toward automatic protection of third-party web service integrations. In NDSS, 2013.

[42]

Y. Zhou and D. Evans. SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities. USENIX Security, 2014.

Digital Library

Cited By

Thorn SEnglish KButler KEnck WKim YKim JKoushanfar FRasmussen K(2024)5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network FunctionsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656134(66-77)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656134
Sharma PAtalay TGibbs HStojadinovic DStavrou AWang H(2024)5G-WAVE: A Core Network Framework with Decentralized Authorization for Network SlicesIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621131(2308-2317)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621131
Jannett LMainka CWesters MMayer AWich TMladenov V(2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00018
Show More Cited By

Index Terms

Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations
1. Security and privacy
  1. Network security
    1. Security protocols
    2. Web protocol security

Recommendations

MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Mobile applications today increasingly integrate Single Sign-On (SSO) into their account management mechanisms. Unfortunately, the involved multi-party protocol, i.e., OAuth 2.0, was originally designed to serve websites for authorization purpose. Due ...
An Alternative Threat Model-based Approach for Security Testing

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer ...
A threat model-based approach to security testing

Software security issues have been a major concern in the cyberspace community, so a great deal of research on security testing has been performed, and various security testing techniques have been developed. Threat modeling provides a systematic way to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

May 2016

958 pages

ISBN:9781450342339

DOI:10.1145/2897845

General Chair:
Xiaofeng Chen
Xidian University, China
,
Program Chairs:
XiaoFeng Wang
Indiana University at Bloomington, USA
,
Xinyi Huang
Fujian Normal University, China

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '16

Sponsor:

SIGSAC

ASIA CCS '16: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2016

Xi'an, China

Acceptance Rates

ASIA CCS '16 Paper Acceptance Rate 73 of 350 submissions, 21%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
647
Total Downloads

Downloads (Last 12 months)64
Downloads (Last 6 weeks)3

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Thorn SEnglish KButler KEnck WKim YKim JKoushanfar FRasmussen K(2024)5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network FunctionsProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656134(66-77)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656134
Sharma PAtalay TGibbs HStojadinovic DStavrou AWang H(2024)5G-WAVE: A Core Network Framework with Decentralized Authorization for Network SlicesIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621131(2308-2317)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621131
Jannett LMainka CWesters MMayer AWich TMladenov V(2024)SoK: SSO-MONITOR - The Current State and Future Research Directions in Single Sign-on Security Measurements2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00018(173-192)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00018
Bisegna ABitussi MCarbone RCompagna LRanise SSudhodanan A(2024)CSRFing the SSO Waves: Security Testing of SSO-Based Account Linking Process2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00016(139-154)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00016
Gavazzi AWilliams RKirda ELu LKing ADavis ALeek TCalandrino JTroncoso C(2023)A study of multi-factor and risk-based authentication availabilityProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620352(2043-2060)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620352
Akon MYang TDong YHussain SMeng WJensen CCremers CKirda E(2023)Formal Analysis of Access Control Mechanism of 5G Core NetworkProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623113(666-680)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623113
Cha SChang CXiang YHuang TYeh K(2023)Enhancing OAuth With Blockchain Technologies for Data PortabilityIEEE Transactions on Cloud Computing10.1109/TCC.2021.309484611:1(349-366)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TCC.2021.3094846
Helmschmidt FHosseyni PKüsters RPruiksma KWaldmann CWürtele T(2023)The Grant Negotiation and Authorization Protocol: Attacking, Fixing, and Verifying an Emerging StandardComputer Security – ESORICS 202310.1007/978-3-031-51479-1_12(222-242)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51479-1_12
Jannett LMladenov VMainka CSchwenk JYin HStavrou ACremers CShi E(2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560692
Rahat TFeng YTian YYin HStavrou ACremers CShi E(2022)CerberusProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3559381(2459-2473)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3559381
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents