Show simple item record

dc.contributor.authorWei, H
dc.contributor.authorHassanshahi, B
dc.contributor.authorBai, G
dc.contributor.authorKrishnan, P
dc.contributor.authorVorobyov, K
dc.date.accessioned2022-02-02T07:01:54Z
dc.date.available2022-02-02T07:01:54Z
dc.date.issued2021
dc.identifier.isbn9781450384599
dc.identifier.doi10.1145/3460319.3469081
dc.identifier.urihttp://hdl.handle.net/10072/411911
dc.description.abstractVarious third-party single sign-on (SSO) services (e.g., Facebook Login and Twitter Login) are widely deployed by web applications to facilitate their authentication and authorization processes. Nevertheless, integrating these services in a secure manner remains challenging, such that security issues are continually reported in recent years. In this work, we develop MoScan, a model-based scanner that can be used by software testers and security analysts for detecting and reporting security vulnerabilities in SSO implementations. MoScan takes as input a state machine built based on an SSO standard and our empirical study to represent participants' states and transitions during the login process. In the testing process, it analyzes network traces captured during the execution of SSO services, and increments the state machine which is then used to generate payloads to test the protocol participants. We evaluate MoScan with 23 real-world websites which integrate the Facebook SSO service to test its capability of identifying security vulnerabilities. To show the adaptability of MoScan's state machine, we also test it on Twitter and LinkedIn's SSO services, and Github's authentication plugin in Jenkins. It detects three known weaknesses and one new logic fault from them, showing a new perspective in testing stateful protocol implementations like SSO services. Our demonstration and the source code of MoScan are available at https://github.com/baigd/moscan.
dc.description.peerreviewedYes
dc.publisherACM
dc.relation.ispartofconferencenameISSTA '21: 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
dc.relation.ispartofconferencetitleISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
dc.relation.ispartofdatefrom2021-01-11
dc.relation.ispartofdateto2021-01-17
dc.relation.ispartoflocationVirtual Denmark
dc.relation.ispartofpagefrom678
dc.relation.ispartofpageto681
dc.subject.fieldofresearchSoftware engineering
dc.subject.fieldofresearchcode4612
dc.titleMoScan: A model-based vulnerability scanner for web single sign-on services
dc.typeConference output
dc.type.descriptionE1 - Conferences
dcterms.bibliographicCitationWei, H; Hassanshahi, B; Bai, G; Krishnan, P; Vorobyov, K, MoScan: A model-based vulnerability scanner for web single sign-on services, ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, 2021, pp. 678-681
dc.date.updated2022-02-02T06:56:58Z
gro.hasfulltextNo Full Text
gro.griffith.authorBai, Guangdong


Files in this item

FilesSizeFormatView

There are no files associated with this item.

This item appears in the following Collection(s)

  • Conference outputs
    Contains papers delivered by Griffith authors at national and international conferences.

Show simple item record