Proceedings of the 2018 2nd International Conference on Advances in Energy, Environment and Chemical Science (AEECS 2018)

Model-driven Security Testing of SAML Single Sign-On System

Authors
Weitao Hou, Menghao Li, Jian Liu, Wei Huo
Corresponding Author
Weitao Hou
Available Online March 2018.
DOI
10.2991/aeecs-18.2018.56How to use a DOI?
Keywords
Security Assertion Markup Language, Single Sign-On, security testing, Fuzz.
Abstract

According to investigation, existing works of security testing for Single Sign-on systems (SSO) on the Security Assertion Markup Language (SAML) are based on partially automatic code review methods, which lead to a low level in effectiveness and reusability. In response to these limitations, a new automatic model-driven security testing framework is proposed. This method utilizes a broker-agent to obtain input traces automatically. Different from most previous methods which are applied to OAuth or openID protocols, in our method a customized fuzzy testing engine is designed to SAML protocol. This engine includes special mutation strategies and an abnormal monitor mechanism. Based on this approach, we have developed a prototypical tool called SSOFuzzer and evaluated it with several SSO reference systems, such as onelogin and myOneLogin. The experimental results show that compared to semi-automatic tools like SAMLRaider, SSOFuzzer can accelerate the generation of test cases by 12.4 times. SSOFuzzer also found four unknown security flaws and one known security flaw from our benchmark systems.

Copyright
© 2018, the Authors. Published by Atlantis Press.
Open Access
This is an open access article distributed under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).

Download article (PDF)

Volume Title
Proceedings of the 2018 2nd International Conference on Advances in Energy, Environment and Chemical Science (AEECS 2018)
Series
Advances in Engineering Research
Publication Date
March 2018
ISBN
978-94-6252-479-8
ISSN
2352-5401
DOI
10.2991/aeecs-18.2018.56How to use a DOI?
Copyright
© 2018, the Authors. Published by Atlantis Press.
Open Access
This is an open access article distributed under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).

Cite this article

TY  - CONF
AU  - Weitao Hou
AU  - Menghao Li
AU  - Jian Liu
AU  - Wei Huo
PY  - 2018/03
DA  - 2018/03
TI  - Model-driven Security Testing of SAML Single Sign-On System
BT  - Proceedings of the 2018 2nd International Conference on Advances in Energy, Environment and Chemical Science (AEECS 2018)
PB  - Atlantis Press
SP  - 335
EP  - 341
SN  - 2352-5401
UR  - https://doi.org/10.2991/aeecs-18.2018.56
DO  - 10.2991/aeecs-18.2018.56
ID  - Hou2018/03
ER  -