Model-driven Security Testing of SAML Single Sign-On System
- DOI
- 10.2991/aeecs-18.2018.56How to use a DOI?
- Keywords
- Security Assertion Markup Language, Single Sign-On, security testing, Fuzz.
- Abstract
According to investigation, existing works of security testing for Single Sign-on systems (SSO) on the Security Assertion Markup Language (SAML) are based on partially automatic code review methods, which lead to a low level in effectiveness and reusability. In response to these limitations, a new automatic model-driven security testing framework is proposed. This method utilizes a broker-agent to obtain input traces automatically. Different from most previous methods which are applied to OAuth or openID protocols, in our method a customized fuzzy testing engine is designed to SAML protocol. This engine includes special mutation strategies and an abnormal monitor mechanism. Based on this approach, we have developed a prototypical tool called SSOFuzzer and evaluated it with several SSO reference systems, such as onelogin and myOneLogin. The experimental results show that compared to semi-automatic tools like SAMLRaider, SSOFuzzer can accelerate the generation of test cases by 12.4 times. SSOFuzzer also found four unknown security flaws and one known security flaw from our benchmark systems.
- Copyright
- © 2018, the Authors. Published by Atlantis Press.
- Open Access
- This is an open access article distributed under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).
Cite this article
TY - CONF AU - Weitao Hou AU - Menghao Li AU - Jian Liu AU - Wei Huo PY - 2018/03 DA - 2018/03 TI - Model-driven Security Testing of SAML Single Sign-On System BT - Proceedings of the 2018 2nd International Conference on Advances in Energy, Environment and Chemical Science (AEECS 2018) PB - Atlantis Press SP - 335 EP - 341 SN - 2352-5401 UR - https://doi.org/10.2991/aeecs-18.2018.56 DO - 10.2991/aeecs-18.2018.56 ID - Hou2018/03 ER -