SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities

15 May 2014

Our paper on automated testing of web applications has been accepted to the 2014 USENIX Security Symposium. [Update: the final version of the paper is available here.]

It describes a black-box technique for automatically scanning web sites for vulnerabilties in how they implement Facebook Single Sign-On, and results from our experiments running it on thousands of websites.

You can try the scanner at

Yuchen Zhou will present the paper at USENIX Security in San Diego, 20-22 August 2014.