Single Sign-On (SSO) shifts the crucial authentication process on a website to to the underlying SSO protocols and their correct implementation. To strengthen SSO security, organizations, such as IETF and W3C, maintain advisories to address known threats. One could assume that these security best practices are widely deployed on websites. We show that this assumption is a fallacy. We present SSO-MONITOR, an open-source fully-automatic large-scale SSO landscape, security, and privacy analysis tool. In contrast to all previous work, SSO-MONITOR uses a highly extensible, fully automated workflow with novel visual-based SSO detection techniques, enhanced security and privacy analyses, and continuously updated monitoring results. It receives a list of domains as input to discover the login pages, recognize the supported Identity Providers (IdPs), and execute the SSO. It further reveals the current security level of SSO in the wild compared to the security best practices on paper. With SSO-MONITOR, we automatically identified 1,632 websites with 3,020 Apple, Facebook, or Google logins within the Tranco 10k. Our continuous monitoring also revealed how quickly these numbers change over time. SSO-MONITOR can automatically login to each SSO website. It records the logins by tracing HTTP and in-browser communication to detect widespread security and privacy issues automatically. We introduce a novel deep-level inspection of HTTP parameters that we call SMARTPARMS. Using SMARTPARMS for security analyses, we uncovered URL parameters in 5 Client Application (Client) secret leakages and 337 cases with weak CSRF protection. We additionally identified 447 cases with no CSRF protection, 342 insecure SSO flows and 9 cases with nested URL parameters, leading to an open redirect in one case. SSO-MONITOR reveals privacy leakages that deanonymize users in 200 cases.
翻译:单一签名( SSO) 将网站上的关键认证程序转换为基本的 SSO 协议及其正确执行。 为加强 SSO 安全, IETTF 和 W3C 等组织维持建议以应对已知威胁。 可以假设这些安全最佳做法在网站上广泛部署。 我们显示这一假设是一个谬论。 我们提供SSO- MONITOR, 一个开放源全自动的 SSO 大型地貌、安全和隐私分析工具。 与以往所有工作不同, SSO- MONITOR 的参数使用一个高度可扩展的、完全自动化的工作流程,配有新的SSSO级检测技术、强化的安全和隐私分析以及不断更新的监测结果。 它收到一份域名清单,作为查找登录登录登录网页的输入信息,承认受支持的身份提供者( Id47 ), 执行SSSO。 它进一步揭示了SO( SSO-MO) 的当前隐私水平, 与SO- MONTOR 相比, 我们自动识别了1, SSO A、 Facebook或 Goolog 10k 的用户。 我们持续监控的SL 的SLO- tral- tral 记录显示SO 4 记录。