SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities
15 May 2014Our paper on automated testing of web applications has been accepted to the 2014 USENIX Security Symposium. [Update: the final version of the paper is available here.]
It describes a black-box technique for automatically scanning web sites for vulnerabilties in how they implement Facebook Single Sign-On, and results from our experiments running it on thousands of websites.
You can try the scanner at SSOScan.org.
Yuchen Zhou will present the paper at USENIX Security in San Diego, 20-22 August 2014.