Ecole d'ingénieur et centre de recherche en Sciences du numérique

An authentication flaw in browser-based single sign-on protocols: Impact and remediations

Armando, Alessandro; Carbone, Roberto; Compagna, Luca; Cuellar, Jorge; Pellegrino, Giancarlo; Sorniotti, Alessandro

Computers and Security, Vol 33, March 2013, Elsevier, ISSN: 0167-4048

Browser-based Single Sign-On (SSO) protocols relieve the user from the burden of dealing with multiple credentials thereby improving the user experience and the security. In this paper we show that extreme care is required for specifying and implementing the prototypical browser-based SSO use case. We show that the main emerging SSO protocols, namely SAML SSO and OpenID, suffer from an authentication flaw that allows a malicious service provider to hijack a client authentication attempt or force the latter to access a resource without its consent or intention. This may have serious consequences, as evidenced by a Cross-Site Scripting attack that we have identified in the SAML-based SSO for Google Apps and in the SSO available in Novell Access Manager v.3.1. For instance, the attack allowed a malicious web server to impersonate a user on any Google application. We also describe solutions that can be used to mitigate and even solve the problem.

Document Doi Bibtex

Titre:An authentication flaw in browser-based single sign-on protocols: Impact and remediations
Mots Clés:Single Sign-On; Security Protocols; Model-checking; OpenID; SAML SSO; Vulnerability; Model-based Security Testing
Type:Journal
Langue:English
Ville:
Date:
Département:Sécurité numérique
Eurecom ref:3812
Copyright: © Elsevier. Personal use of this material is permitted. The definitive version of this paper was published in Computers and Security, Vol 33, March 2013, Elsevier, ISSN: 0167-4048 and is available at : http://dx.doi.org/10.1016/j.cose.2012.08.007
Bibtex: @article{EURECOM+3812, doi = {http://dx.doi.org/10.1016/j.cose.2012.08.007}, year = {2012}, month = {09}, title = {{A}n authentication flaw in browser-based single sign-on protocols: {I}mpact and remediations }, author = {{A}rmando, {A}lessandro and {C}arbone, {R}oberto and {C}ompagna, {L}uca and {C}uellar, {J}orge and {P}ellegrino, {G}iancarlo and {S}orniotti, {A}lessandro}, journal = {{C}omputers and {S}ecurity, {V}ol 33, {M}arch 2013, {E}lsevier, {ISSN}: 0167-4048}, url = {http://www.eurecom.fr/publication/3812} }
Voir aussi: