We apologize for a recent technical issue with our email system, which temporarily affected account activations. Accounts have now been activated. Authors may proceed with paper submissions. PhDFocusTM
CFP last date
20 December 2024
Call for Paper
January Edition
IJCA solicits high quality original research papers for the upcoming January edition of the journal. The last date of research paper submission is 20 December 2024

Submit your paper
Know more
The week's pick
Responsive image
Improved Shuffled Frog Leaping Algorithm with Self-Adaptive Shuffling for Fuzzy Logic PD+G Controller Optimization in Robotic Manipulators

Duc Hoang Nguyen
Random Articles
Reseach Article

WSASRESSO - A Novel Framework for Analysis of SAML based SSO Protocols using Black Box Penetration Testing

by Shymala Gowri Selvaganapathy, Nivaashini Mathappan, Hema Priya Natarajan, Sasidharan R.
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 174 - Number 1
Year of Publication: 2017
Authors: Shymala Gowri Selvaganapathy, Nivaashini Mathappan, Hema Priya Natarajan, Sasidharan R.
10.5120/ijca2017915304

Shymala Gowri Selvaganapathy, Nivaashini Mathappan, Hema Priya Natarajan, Sasidharan R. . WSASRESSO - A Novel Framework for Analysis of SAML based SSO Protocols using Black Box Penetration Testing. International Journal of Computer Applications. 174, 1 ( Sep 2017), 21-28. DOI=10.5120/ijca2017915304

@article{ 10.5120/ijca2017915304,
author = { Shymala Gowri Selvaganapathy, Nivaashini Mathappan, Hema Priya Natarajan, Sasidharan R. },
title = { WSASRESSO - A Novel Framework for Analysis of SAML based SSO Protocols using Black Box Penetration Testing },
journal = { International Journal of Computer Applications },
issue_date = { Sep 2017 },
volume = { 174 },
number = { 1 },
month = { Sep },
year = { 2017 },
issn = { 0975-8887 },
pages = { 21-28 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume174/number1/28372-2017915304/ },
doi = { 10.5120/ijca2017915304 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T00:21:00.746919+05:30
%A Shymala Gowri Selvaganapathy
%A Nivaashini Mathappan
%A Hema Priya Natarajan
%A Sasidharan R.
%T WSASRESSO - A Novel Framework for Analysis of SAML based SSO Protocols using Black Box Penetration Testing
%J International Journal of Computer Applications
%@ 0975-8887
%V 174
%N 1
%P 21-28
%D 2017
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Single Sign-On (SSO) is a simplified approach which relieves users from the burden of dealing with multiple credentials but at the same time presents new security challenges. With three different parties participating in the authentication process, SSO solutions involve different layers of communication and exchange of credentials that are enabled by using HTTP redirection and JavaScript, which creates several vulnerabilities for attackers to exploit and makes SSO a launch pad for typical attacks. A formal method is needed to evaluate the flaws in the SSO protocol implementation. The security service Availability is important to ensure that the information concerned is readily accessible to the authorized persons; here the problem of Violation of Availability in SSO is addressed. This work WSASRESSO provides a framework which evaluates SAML based SSO protocols using Burp suite extension with a combination of EsPReSSO algorithm for identification of the SSO protocols along with SAML Raider for fetching the protocol infrastructure details and integration of WS-Attacker to perform black box penetration testing. Since new types of SSO attacks are evolving over time, the proposed security framework can be used to find the strength of the SSO protocols. Here, signature based attacks like XML Signature Wrapping and XML Signature Faking attacks have been simulated and tested which can be categorized under Phishing attacks.

References
  1. Christian Mainka, Vladislav Mladenov, Tim Guenther, Jörg Schwenk, “Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite,” Open Identity Summit, 2015.
  2. Yuchen Zhou, David Evans, “SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities,” 23rd USENIX Security Symposium, 2014.
  3. R. Wang, S. Chen and X. Wang, "Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services," Security and Privacy(SP), IEEE Symposium, 2012.
  4. Jacob Bellamy-McIntyre, Christof Luterroth, Gerald Weber, “OpenID and the Enterprise: A Model-based Analysis of Single Sign-On Authentication”. 15th IEEE International, 2011.
  5. Falkenberg. A., Maink. C, Somorovsky. J, Schwenk. J, "A New Approach towards DoS Penetration Testing on Web Services," IEEE 20th International Conference on Web Services (ICWS), 2013, pp.491,498.
  6. The OAuth 2.0 Authorization Framework (2015), ECMA International ECMA -262. Available: http://www.ecma-international.org/publications/files/EC MA -ST/Ecma-262.pdf.
  7. E. A. N. Sakimura, J. Bradley (2014), OpenID Connect Core 1.0 incorporating errata set 1, OpenID Foundation OpenID Connect 1.0. Available: http://openid.net/specs/openid-connect-core-1_0.html.s
  8. Mainka, Christian, and Mladenov, Vladislav and Feldmann, Florian and Krautwald, Julian and Schwenk, Jörg, "Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud," Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, 2014.
  9. S. Gajek, M. Jensen, L. Liao, and J. Schwenk, "Analysis of signature wrapping attacks and countermeasures," IEEE International Conference on Web Services, 2009, pp. 575–582.
  10. J. Rzeniewicz (July 2015), “Log Me In with Facebook: Security Analysis of Facebook Connect,”.
  11. Microsoft, “Microsoft Account,” Available: https://account.microsoft.com/about.
  12. R. P. Scott Cantor, John Kemp (2005), “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0,” Mar. Available: http://docs.oasis-open.org/security/saml/v2.0/.
  13. D. Fett, R. Küsters, and G. Schmitz (2014), “An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System,” IEEE Computer Society, 2014, pp. 673–688.
  14. JohnBarber, “SAMLyze,” Available: https://www.blackhat.com/us15/arsenal.html.
  15. Roland Bischofberger, Emanuel Duss, “SAML Raider - SAML2 Burp Extension,” Available: https://github.com/SAMLRaider/SAMLRaider.
  16. PortSwigger, “Burp Suite API,” Available: http://portswigger.net/Burp.
  17. Authentication SSO Protocol, Available: https://auth0.com/docs/sso/ single-sign-on.
  18. OpenID - A Descriptive Document, Available: http://openid.net/get-an-openid/what-is-openid.
  19. OpenID Specification, Available: https://openid.net/specs/openid-authentication-2_0.html.
  20. Security Assertion Markup Language (SAML) V2.0 Technical Overview http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.
  21. OASIS Security Services (SAML) TC https://www.oasis-open.org/committees/security/ipr.php.
Index Terms

Computer Science
Information Sciences

Keywords

Single Sign-On Protocol Vulnerabilities WSASRESSO Burp Suite EsPReSSO SAML Attacker.

Powered by PhDFocusTM