MOSCAN: A Model-based Vulnerability Scanner for Web Single Sign-on Services
Fri 16 Jul 2021 09:05 - 09:40 at ISSTA Demos - ISSTA Tool Demos (Live Discussion) 3 Chair(s): Michael Pradel
Various third-party single sign-on (SSO) services~(e.g., Facebook Login and Twitter Login) are widely deployed by web applications. Security issues exist in integrating these services. In this work, we develop MOSCAN, a model-based scanner for detecting and reporting security vulnerabilities in SSO implementations. MOSCAN takes as input a state machine built based on an SSO standard and an empirical study to represent participants’ states and transitions during the login process. It analyzes network traces captured during the execution of SSO services. We evaluate MOSCAN with 23 real-world websites which integrate the Facebook SSO service to test its capability of identifying security vulnerabilities. It can find three known weaknesses and one new logic fault, showing a new perspective in testing stateful protocol implementations like SSO services. To show the adaptability of MOSCAN’s state machine, we also test other SSO service. Our demonstration is available at https://youtu.be/HI3S9IaUDGU. Our code is available at https://github.com/baigd/moscan.
Fri 16 JulDisplayed time zone: Brussels, Copenhagen, Madrid, Paris change
01:05 - 01:40 | ISSTA Tool Demos (Live Discussion) 2Tool Demonstrations at ISSTA Demos Chair(s): August Shi University of Texas at Austin | ||
01:05 35mLive Q&A | MOSCAN: A Model-based Vulnerability Scanner for Web Single Sign-on Services Tool Demonstrations Hanlin Wei The University of Queensland, Behnaz Hassanshahi Oracle Labs, Australia, Guangdong Bai University of Queensland, Paddy Krishnan Oracle Labs, Australia, Kostyantyn Vorobyov Oracle Labs, Australia | ||
01:05 35mLive Q&A | TauMed: Test Augmentation of Deep Learning in Medical Diagnosis Tool Demonstrations Yunhan Hou Nanjing University, Jiawei Liu Nanjing University, Daiwei Wang Nanjing University, Jiawei He Nanjing University, Chunrong Fang Nanjing University, Zhenyu Chen Nanjing University | ||
01:05 35mLive Q&A | RESTest: Automated Black-Box Testing of RESTful Web APIs Tool Demonstrations Alberto Martin-Lopez Universidad de Sevilla, Sergio Segura Universidad de Sevilla, Antonio Ruiz-Cortés University of Seville | ||
09:05 - 09:40 | ISSTA Tool Demos (Live Discussion) 3Tool Demonstrations at ISSTA Demos Chair(s): Michael Pradel University of Stuttgart | ||
09:05 35mLive Q&A | SCStudio: A Secure and Efficient Integrated Development Environment for Smart Contracts Tool Demonstrations Meng Ren Tsinghua University, Fuchen Ma Tsinghua University, Zijing Yin Tsinghua University, Huizhong Li WeBank, Ying Fu Ant Group, Ting Chen University of Electronic Science and Technology of China, Yu Jiang Tsinghua University | ||
09:05 35mLive Q&A | TauMed: Test Augmentation of Deep Learning in Medical Diagnosis Tool Demonstrations Yunhan Hou Nanjing University, Jiawei Liu Nanjing University, Daiwei Wang Nanjing University, Jiawei He Nanjing University, Chunrong Fang Nanjing University, Zhenyu Chen Nanjing University | ||
09:05 35mLive Q&A | ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing Tool Demonstrations | ||
09:05 35mLive Q&A | C4: the C Compiler Concurrency Checker Tool Demonstrations Matt Windsor University of York, Alastair F. Donaldson Imperial College London, John Wickerson Imperial College London | ||
09:05 35mLive Q&A | echidna-parade: A Tool for Diverse Multicore Smart Contract Fuzzing Tool Demonstrations | ||
09:05 35mLive Q&A | MOSCAN: A Model-based Vulnerability Scanner for Web Single Sign-on Services Tool Demonstrations Hanlin Wei The University of Queensland, Behnaz Hassanshahi Oracle Labs, Australia, Guangdong Bai University of Queensland, Paddy Krishnan Oracle Labs, Australia, Kostyantyn Vorobyov Oracle Labs, Australia | ||