Write a Blog >>
ISSTA 2021
Sun 11 - Sat 17 July 2021 Online
co-located with ECOOP and ISSTA 2021
Fri 16 Jul 2021 01:05 - 01:40 at ISSTA Demos - ISSTA Tool Demos (Live Discussion) 2 Chair(s): August Shi
Fri 16 Jul 2021 09:05 - 09:40 at ISSTA Demos - ISSTA Tool Demos (Live Discussion) 3 Chair(s): Michael Pradel

Various third-party single sign-on (SSO) services~(e.g., Facebook Login and Twitter Login) are widely deployed by web applications. Security issues exist in integrating these services. In this work, we develop MOSCAN, a model-based scanner for detecting and reporting security vulnerabilities in SSO implementations. MOSCAN takes as input a state machine built based on an SSO standard and an empirical study to represent participants’ states and transitions during the login process. It analyzes network traces captured during the execution of SSO services. We evaluate MOSCAN with 23 real-world websites which integrate the Facebook SSO service to test its capability of identifying security vulnerabilities. It can find three known weaknesses and one new logic fault, showing a new perspective in testing stateful protocol implementations like SSO services. To show the adaptability of MOSCAN’s state machine, we also test other SSO service. Our demonstration is available at https://youtu.be/HI3S9IaUDGU. Our code is available at https://github.com/baigd/moscan.

Fri 16 Jul

Displayed time zone: Brussels, Copenhagen, Madrid, Paris change

01:05 - 01:40
ISSTA Tool Demos (Live Discussion) 2Tool Demonstrations at ISSTA Demos
Chair(s): August Shi University of Texas at Austin
01:05
35m
Live Q&A
MOSCAN: A Model-based Vulnerability Scanner for Web Single Sign-on Services
Tool Demonstrations
Hanlin Wei The University of Queensland, Behnaz Hassanshahi Oracle Labs, Australia, Guangdong Bai University of Queensland, Paddy Krishnan Oracle Labs, Australia, Kostyantyn Vorobyov Oracle Labs, Australia
01:05
35m
Live Q&A
TauMed: Test Augmentation of Deep Learning in Medical Diagnosis
Tool Demonstrations
Yunhan Hou Nanjing University, Jiawei Liu Nanjing University, Daiwei Wang Nanjing University, Jiawei He Nanjing University, Chunrong Fang Nanjing University, Zhenyu Chen Nanjing University
01:05
35m
Live Q&A
RESTest: Automated Black-Box Testing of RESTful Web APIs
Tool Demonstrations
Alberto Martin-Lopez Universidad de Sevilla, Sergio Segura Universidad de Sevilla, Antonio Ruiz-Cortés University of Seville
09:05 - 09:40
ISSTA Tool Demos (Live Discussion) 3Tool Demonstrations at ISSTA Demos
Chair(s): Michael Pradel University of Stuttgart
09:05
35m
Live Q&A
SCStudio: A Secure and Efficient Integrated Development Environment for Smart Contracts
Tool Demonstrations
Meng Ren Tsinghua University, Fuchen Ma Tsinghua University, Zijing Yin Tsinghua University, Huizhong Li WeBank, Ying Fu Ant Group, Ting Chen University of Electronic Science and Technology of China, Yu Jiang Tsinghua University
09:05
35m
Live Q&A
TauMed: Test Augmentation of Deep Learning in Medical Diagnosis
Tool Demonstrations
Yunhan Hou Nanjing University, Jiawei Liu Nanjing University, Daiwei Wang Nanjing University, Jiawei He Nanjing University, Chunrong Fang Nanjing University, Zhenyu Chen Nanjing University
09:05
35m
Live Q&A
ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing
Tool Demonstrations
Roberto Natella Federico II University of Naples, Thuan Pham The University of Melbourne
09:05
35m
Live Q&A
C4: the C Compiler Concurrency Checker
Tool Demonstrations
Matt Windsor University of York, Alastair F. Donaldson Imperial College London, John Wickerson Imperial College London
09:05
35m
Live Q&A
echidna-parade: A Tool for Diverse Multicore Smart Contract Fuzzing
Tool Demonstrations
Alex Groce Northern Arizona University, Gustavo Grieco Trail of Bits
09:05
35m
Live Q&A
MOSCAN: A Model-based Vulnerability Scanner for Web Single Sign-on Services
Tool Demonstrations
Hanlin Wei The University of Queensland, Behnaz Hassanshahi Oracle Labs, Australia, Guangdong Bai University of Queensland, Paddy Krishnan Oracle Labs, Australia, Kostyantyn Vorobyov Oracle Labs, Australia