Enhancing Security Testing for Identity Management Implementations: Introducing Micro-Id-Gym Language and Micro-Id-Gym Testing Tool

Enhancing Secu i y Tes ing o Iden i y
Managemen Implemen a ions:
In oducing MIG-L and MIG-T
And ea Bisegna1, Ma eo Bi ussi1, Robe o Ca bone1, and Sil io Ranise1,2
1Cen e o Cybe secu i y, Fondazione B uno Kessle , T en o, I aly
{a.bisegna,ca bone, anise}@ bk.eu, [email p o ec ed]
2Depa men o Ma hema ics, Uni e si y o T en o, I aly
Abs ac . We in oduce MIG-L, a decla a i e language o he speci i-
ca ion o secu i y es s, and MIG-T, a es ing ool, o Iden i y Manage-
men solu ions based on SAML and OAu h/OIDC by e i ying compli-
ance wi h Bes Cu en P ac ices, de ec ing known ulne abili ies, and
p o iding sugges ions o ixes. Expe imen s demons a e he lexibili y
and e ec i eness o ou app oach.
1
Mul i-Pa y Web Applica ions play a c ucial ole in building us in digi al
ecosys ems by adop ing Iden i y Managemen (IdM) p o ocols o secu e hei
implemen a ions. IdM p o ocols in ol e h ee en i ies: he Use ( ypically in-
e ac ing h ough a web b owse ), he web applica ion (playing he ole o a
Clien ), and an Iden i y P o ide (IdP) ac ing as a us ed hi d pa y. S an-
da ds o IdM p o ocols a e a ailable—e.g., SAML 2.0 (SAML),3OpenID Con-
nec (OIDC),4and OAu h 2.0 (OAu h)5— ha desc ibe how Clien s can eques
and consume asse ions om IdPs o au hen ica e use s ia Single Sign-On (SSO)
p ocedu es. This allows use s o access mul iple applica ions o se ices using a
single se o c eden ials while p o iding a s eamlined use expe ience and in-
c easing secu i y by educing passwo d a igue. Despi e he ad an ages, se e al
ulne abili ies ha e been and a e s ill being ound, exposing po en ial e o s and
secu i y isks inhe en in design and implemen a ion [1,6,?]. The complexi y o
p o ocols and eliance on hi d-pa y en i ies u he exace ba e he isks. P i-
acy and da a p o ec ion conce ns necessi a e me iculous conside a ion du ing
deploymen . F agmen a ion o in o ma ion sou ces and a dea h o comp ehen-
si e emedia ion s a egies con ibu e o he complexi y o secu ing hese sys-
ems. While secu i y es ing ools a e a ailable, hey o en exhibi a na ow
ocus on speci ic ulne abili ies, po en ially o e looking b oade secu i y con-
ce ns [8,9,10,11]. Mo eo e , adminis a o s may lack he expe ise equi ed o
3h ps://docs.oasis-open.o g/secu i y/saml/Pos 2.0/ss c-saml- ech-o e iew-
2.0.h ml
4h ps://openid.ne /connec
5h ps:// ools.ie .o g/h ml/ c6749
2 And ea Bisegna, Ma eo Bi ussi, Robe o Ca bone, and Sil io Ranise
add ess ulne abili ies e ec i ely, pa icula ly o a e age IT p o essionals. To
alle ia e hese p oblems, we p opose a decla a i e language o secu i y es ing,
p o iding a s aigh o wa d me hod o de ine and execu e secu i y es cases in
he con ex o IdM deploymen s by making he ollowing main con ibu ions:
–We conside an exis ing h ea model [4] based on secu i y con ols, h ea s,
ulne abili ies, and isks, and p opose an ex ended e sion. The ex ended
e sion allows us no only o pe o m secu i y es s o iden i y known ul-
ne abili ies bu also o check compliance wi h Bes Cu en P ac ices (BCPs)
pu o wa d by s anda diza ion e o s (e.g., OIDC) o a oid ecu ing ul-
ne abili ies wi h high isk.
–We in oduce a no el app oach o he speci ica ion o he es cases le e -
aging a new decla a i e language named MIG-L. The language is ailo ed
speci ically o IdM p o ocols and is buil upon he ex ended h ea model
p e iously de ined.
–We au oma e ou app oach by in eg a ing MIG-L in o MIG-T,6a secu i y
es ing ool included in Mic o-Id-Gym [5].
–Fo alida ion, we conduc ed expe imen s wi h MIG-T in h ee scena ios in-
ol ing IdM p o ocols. In an OIDC deploymen , we iden i ied h ee ulne a-
bili ies. In an OAu h implemen a ion o a PSD2 complian paymen se ice,
we de ec ed wo ulne abili ies and a miscon igu a ion in he OAu h p o o-
col. Among 48 pai s o se ice and iden i y p o ide s suppo ing SSO-based
Accoun Linking, we iden i ied 21 pai s ulne able o CSRF.
We make a ailable he secu i y es s speci ied in MIG-L and he code o MIG-
T a he ollowing links h ps://gi hub.com/s bk/mig/ ee/mas e / es plans/spid-
cie-oidc/implemen a ions/spid-cie-oidc-django/inpu /mig- and h ps://gi hub.com/s bk/mig-
, espec i ely.
Plan o he pape . In Sec ion OUR THREAT MODEL we p opose an ex ended
h ea model based on an exis ing one. Then, in Sec ion OUR APPROACH, we
p esen ou app oach o suppo secu i y es ing. In Sec ion TEST SPECIFI-
CATION, we del e in o he speci ica ion o de ine es cases. In Sec ion USE
CASES, we desc ibe he expe imen al analysis on h ee di e en scena ios. In
Sec ion COMPARISON WITH AVAILABLE TOOLS we collec s a e-o - he-a
ools co e ing ou esea ch. We conclude ou wo k in Sec ion CONCLUSIONS.
2 OUR THREAT MODEL
The h ea model we p opose suppo s he au oma ion o secu i y es s, speci ied
in a high-le el language, o bo h e i ying he p ope implemen a ion o BCPs
and pe o ming a acks on deploymen s based on IdM p o ocols. Addi ionally,
he p oposed h ea model suppo s, by au oma ing he use o s uc u ed da a,
secu i y assessmen s and acili a es in o med decision-making o cybe secu i y
6h ps://gi hub.com/s bk/mig-
Ti le Supp essed Due o Excessi e Leng h 3
Fig. 1: Ou ex ended h ea model.
isk managemen . By le e aging au oma ion, we can expedi e he analysis p o-
cess and enhance esul accu acy, ensu ing he deli e y o up- o-da e and com-
p ehensi e assessmen s.
By e u ning ac ionable hin s o ixing ulne abili ies, we assis IT p o es-
sionals o inc ease he secu i y o IdM deploymen s. In Figu e 1, he h ea
model de i ed om [4]7is shown in he dashed box whe eas ou side a e he con-
cep s o he ex ended h ea model ha a e u he discussed in Sec ion OUR
APPROACH. The h ea model in [4] consis s in iden i ying po en ial h ea s
and ulne abili ies as well as de e mining he app op ia e secu i y con ols o
mi iga e hese isks. Secu i y con ols encompass a ange o coun e measu es
implemen ed o secu e agains in en ional and unin en ional h ea s. Vulne abil-
i ies ep esen implemen a ion and con igu a ion laws ha could be exploi ed
by h ea s. Unde s anding he likelihood and impac o hese h ea s is essen ial
o e ec i e isk managemen . Cybe Th ea In elligence (CTI) plays a c ucial
ole in helping o ganiza ions iden i y and p io i ize po en ial isks. Mo eo e ,
CTI aids in he de elopmen o a ge ed isk managemen s a egies ailo ed o
speci ic ulne abili ies, hus imp o ing o e all secu i y pos u e.
We hen in oduce an ex ended h ea model o IdM implemen a ions, de-
pic ed in Figu e 1. Ou ex ended h ea model inco po a es known a acks and
BCPs ou lined in he IdM s anda ds, ensu ing a comp ehensi e co e age o secu-
i y issues. F om ou h ea model, we de i e wo ypes o es cases. The o me
assess he p ope implemen a ion o secu i y con ols ou lined in s anda ds like
OIDC o OAu h, acili a ing au oma ed compliance es ing. The la e pe o m
a acks o exploi known ulne abili ies, enabling au oma ed secu i y es ing. By
le e aging hese es cases, i is possible o iden i y ecu ing ulne abili ies and
e alua e he secu i y pos u e o he sys em h ough a ge ed, (known) a acks.
The pu pose o BCPs, implemen ed h ough Secu i y Con ols, is o iden i y key
ulne abili ies and p o ide s uc u ed mi iga ions. Secu i y es e s design es
cases ha assess hese measu es and make su e hey a e implemen ed co ec ly.
Le us conside he es T1 aiming a checking whe he he adop ion o P oo
Key o Code Exchange (PKCE) is in place o an OAu h/OIDC deploymen .
PKCE mi iga es he possibili y o unau ho ized access o p o ec ed esou ces.8
7h ps://doi.o g/10.6028/NIST.SP.800-30
8h ps:// ools.ie .o g/h ml/ c7636
4 And ea Bisegna, Ma eo Bi ussi, Robe o Ca bone, and Sil io Ranise
Secu i y Tes e s also play he ole o a acke s o assess he impac o ulne abil-
i ies by pe o ming known a acks. Le us conside he es T2, a “Code eplay”
a ack, whe e he a acke in e cep s and euses he au ho iza ion esponse o
gain access o use s’ esou ces wi hou hei knowledge [3]. The ex ended h ea
model conside s he na u e o BCPs and a acks, which can change o e ime,
o e ing he possibili y o easily exp essing and inco po a ing new es cases in e-
sponse o a apidly changing h ea landscape. Secu i y Tes e s ha e wo op ions
acco ding o he ype o es case hey execu e. The i s capabili y pe ains o
e i ying BCPs, by assuming “ne wo k” o “web a acke ” capabili ies, depend-
ing on he speci ic BCP being es ed. Fo example, BCPs add essing edi ec
Uni e sal Resou ce Iden i ie (URI) a acks in OAu h equi e he capabili ies o
a web a acke , while o he s, like secu ing he OAu h oken exchange p ocess,
equi e he capabili ies o a (mo e powe ul) “ne wo k a acke .” The second op-
ion ela es o execu ing a acks, whe e Secu i y Tes e s ha e he capabili ies
o a “web a acke .” Fo ins ance, in he au ho iza ion code in e cep ion a ack,
Secu i y Tes e s in e cep he au ho iza ion code exchanged be ween he OAu h
clien and au ho iza ion se e . This a ack can be execu ed h ough phishing
o exploi ing ulne abili ies in he OAu h clien applica ion, allowing a acke s
o ob ain access okens and access p o ec ed esou ces.
3 OUR APPROACH
Acco ding o he h ea model in Figu e 1, a Secu i y Tes e is esponsible o
c ea ing wo ypes o es cases: one o e i y he compliance wi h he BCPs,
and he o he o pe o m a acks. Fo each es case, a Secu i y Tes e de ines
bo h a Session and a Tes as epo ed in Figu e 2, which p o ides an o e iew o
ou app oach. The Session is simila o a UI in eg a ion es ypically employed
by es e s o web applica ions.9Indeed, Session encompasses a se ies o use ac-
ions execu ed by a b owse o igge he HTTP messages equi ed o a Tes ,
enabling ou app oach o simula e use in e ac ions and ga he in o ma ion on
he web applica ion’s esponse. The Tes , w i en in MIG-L, a o mal and con-
cise decla a i e language o secu i y es ing, consis s o a sequence o ope a ions
aimed a managing and manipula ing HTTP messages and Session, as well as
in eg a ing an o acle au oma ing he c i e ion agains which he ou come o a
es can be e alua ed. MIG-L is designed o be e sa ile and adap able ac oss
all web digi al iden i y p o ocols, as i s unde lying p inciples and s uc u e a e
su icien ly gene ic o suppo hem. To ensu e his lexibili y, MIG-L enables
secu i y es e s o de ine es s o any web digi al iden i y p o ocol by speci ying
ele an pa ame e s and in e ac ions. A Tes can be passi e o ac i e. The o -
me in ol es analyzing he in e cep ed HTTP messages s a ically, wi hou any
in e ac ion (sa ing a alue o a pa ame e ) o modi ica ion o he HTTP mes-
sages du ing he execu ion o he Session. An ac i e es allows o in e ac ions
du ing he execu ion o he Session. By au oma ing he execu ion o he es
9h ps://www.di ami.com/blog/selenium-guide- o-au oma ed-ui- es ing/
Ti le Supp essed Due o Excessi e Leng h 5
Fig. 2: High le el iew o ou app oach.
case, a Secu i y Tes e can apidly and p ecisely e alua e he secu i y o he
IdM implemen a ion.
As depic ed in Figu e 2, he Tes Handle is esponsible o in e p e ing
and execu ing he es speci ied in MIG-L, and i igge s, when needed, he
Session Handle , which p ocesses he Session and eplica es he use ac ions
wi hin a b owse . All HTTP messages pass h ough (and may be in e cep ed
by) a P oxy. The P oxy In e ac ion componen manages he communica ion wi h
he P oxy o en o ce he condi ions speci ied in he Tes . Finally, he Repo ing
componen p o ides ou pu de ailing iden i ied ulne abili ies and sugges ions
o app op ia e secu i y con ols, aiding Secu i y Tes e s and s akeholde s in
unde s anding and add essing he esul s o he es s, hus pa ing he way o
cybe secu i y isk managemen .
To de ine an a chi ec u e o he execu ion o secu i y es s speci ied in MIG-
L, we de ine h ee dis inc APIs used by componen s independen ly o he un-
de lying echnology. These APIs— he B owse API, P oxy API, and Session
API—suppo he au oma ed execu ion o use ac ions, in e cep ion and ma-
nipula ion o messages, and managemen o es session execu ions, espec i ely.
They s eamline he es ing p ocess and enhance he lexibili y and usabili y o
ou app oach.
4 TEST SPECIFICATION
MIG-L is a decla a i e language o secu i y es ing, encompassing many com-
mand combina ions o manipula ing HTTP messages o in e ac ing wi h he
Session. One o he key s eng hs o MIG-L is i s use - iendly na u e. The lan-
guage is designed o be highly exp essi e ye in ui i e, making i accessible o
secu i y es e s wi h limi ed p og amming expe ience. The decla a i e na u e o
MIG-L allows es e s o speci y es scena ios in a concise manne wi hou del -
ing in o complex sc ip ing o p og amming. To u he simpli y he p ocess, we
p o ide a lib a y o p e-de ined es empla es o common es pa e ns, which

6 And ea Bisegna, Ma eo Bi ussi, Robe o Ca bone, and Sil io Ranise
can be easily adap ed o speci ic p o ocols and implemen a ions. Addi ionally,
MIG-L can be used o gene a e es s o o he ypes o es ing, including ig-
ge ing addi ional secu i y es s o he implemen a ion, such as uzzing, hough
his is no conside ed in his wo k.
To illus a e he lexibili y o his language we p esen wo es cases, T1
and T2. These examples co espond o he BCP and a ack cases desc ibed in
Sec ion OUR THREAT MODEL. Ou app oach, as de ined in Sec ion OUR
APPROACH, equi es wo inpu s: he Tes speci ied in MIG-L and he Session.
The Session depic ed in Lis ing 1.1 and equi ed o bo h es s (T1 and T2)
is a Selenium sc ip ha execu es he OIDC low in he spid-cie-oidc-django10
implemen a ion based on he SPID/CIE OIDC. The commands inhe i ed by he
Selenium sc ip a e highligh ed in ed, while commen s a e in blue.
Lis ing 1.1: Session s1 used bo h in T1 and T2.
1open | h p :// elying - pa y . o g :8001/ oidc / p / landing | $$ //
access SP webpage$$
2click | xpa h =/ h ml/ body/ di [2]/ di /span [2]/ a | $$ // p ess
login bu on$$
3click | xpa h =/ h ml /body /di [2]/ ul/li [2]/a | $$ // choose
IdP$$
4 ype | id= use name | use $$ // inse use $$
5 ype | id= passwo d | oidcuse $$ // inse passwo d$$
6click | xpa h =/ h ml/ body/ di [2]/ di [3]/ bu on /span [2] | $$
// p ess login bu on$$
7click | id= ag ee | $$ // p o ide consen $$
The i s es T1 we analyze, speci ied in Lis ing 1.2, conce ns compliance
wi h he BCP in OAu h, speci ically ocusing on he adop ion o PKCE. This es
in e cep s he au ho iza ion eques and e i ies he p esence o code_challenge
and code_ e i ie in he URL.
The commands s a _ es and end_ es ma k he beginning (Line 1) and
end (Line 11) o he es , espec i ely. The s a _ es command equi es he
es name and desc ip ion, he es ype (ei he passi e o ac i e), he se o
( e e ences o) Sessions (only s1 o T1).
The command s a (a Line 2) indica es ha he Session s1 is execu ed.
The commands s a _msg_ope a ion and end_msg_ope a ion ma k he be-
ginning (Line 3) and he end (Line 10) o he HTTP message ope a ions o be
execu ed wi hin he es , espec i ely.
The commands s a _checks and end_checks iden i y he beginning (Line 4)
and end (Line 6) o an ope a ion in cha ge o e i ying he p esence o a pa ame-
e , espec i ely. In his case we de ec he p esence o he code_challenge pa-
ame e in he URL o he au ho iza ion eques . The au ho iza ion_ eques
is de ined as he HTTP eques whe e he URL con ains he esponse_ ype
and clien _id pa ame e s.
Simila ly o Lines 4-6, he commands in Lines 7-9 e i y he p esence o he
pa ame e code_ e i ie in he URL o he oken eques . The oken_ eques
10 h ps://gi hub.com/i alia/spid-cie-oidc-django/
Ti le Supp essed Due o Excessi e Leng h 7
is de ined as he HTTP eques whe e he URL con ains g an _ ype,code,
edi ec _u i, and clien _id.
Lis ing 1.2: MIG-L es o T1 (passi e).
1s a _ es ( Ve i y p esence o PKCE , The es e i y he
p esence o code_challenge and code_ e i ie , passi e , {
s1 }) $$ // passi e es $$
2s a ( s1 ) $$ // un s1$$
3s a _msg_ope a ion () $$// s a o message ope a ion$$
4s a _checks ( au ho iza ion_ eques ) $$ // s a checks in
au ho iza ion_ eques $$
5check ( code_challenge , is p esen , u l) $$ // e i y he
p esence o code_challenge in u l$$
6end_checks ()
7s a _checks ( oken_ eques ) $$// s a checks in
oken_ eques $$
8check ( code_ e i ie , is p esen , u l) $$ // e i y he
p esence o code_ e i ie in u l$$
9end_checks ()
10 end_msg_ope a ion () $$ // end o message ope a ion$$
11 end_ es () $$ // end o passi e es $$
The second es T2 we show, speci ied in Lis ing 1.3, pe o ms he code eplay
a ack in [3]. The s eps o his a ack in ol e in e cep ing he code pa ame e
du ing he execu ion o he OIDC low and hen eusing i in a new low.
As said abo e, he Session s1 o T2 is iden ical o he one used in T1.
Ano he Session (s1_copy) is esponsible o eusing he code pa ame e in a
new low, and T2 au oma ically gene a es s1_copy by duplica ing s1.
The commands a Line 1 and 15 indica e he s a and inish o he es , espec-
i ely. Unlike he es in Lis ing 1.2, we ha e de ined an ac i e es and p o ided
wo Sessions (s1 and s1_copy). Fo ac i e es s, ano he in o ma ion mus be
included, namely he expec ed es esul . In his case, i is inco ec low
s1_copy, meaning ha he es is passed i he low o s1_copy is inco ec ,
i.e. he execu ion ails. Indeed, i all he use ac ions in s1_copy a e success ully
execu ed, i means ha he a ack is success ul and hus he es is conside ed
ailed.
The command sa e (a Line 2) indica es ha all he use ac ions epo ed om
he command ack[M0,ML], whe e M0 ep esen s he i s use ac ion and ML
ep esen s he las use ac ion epo ed in Session s1, a e sa ed in s1_copy.
The command s a (a Line 3) indica es ha he Session s1 is execu ed.
The commands s a _ es _ope a ion and end_ es _ope a ion (a Lines 4
and 8, espec i ely) de ine which HTTP message o in e cep and he ac ion
o ake once in e cep ed. All he ope a ions be ween Lines 5 and 7 will be ap-
plied o he HTTP message. In his case, he HTTP message o in e cep is he
au ho iza ion_ esponse in s1, and once in e cep ed, i mus be d opped. This
means inducing an e o in he execu ion and hus hal ing he execu ion o s1.
The au ho iza ion_ esponse is de ined as he HTTP esponse wi h code and
s a e in he URL.
8 And ea Bisegna, Ma eo Bi ussi, Robe o Ca bone, and Sil io Ranise
The commands s a _msg_ope a ion and end_msg_ope a ion iden i y he be-
ginning (Line 5) and end (Line 7) o an ope a ion in cha ge o sa ing he alue
o a pa ame e , espec i ely. In his case, we iden i y he alue o he pa ame e
code in he URL and sa e i o a new a iable called sa ed_code.
The command s a (a Line 9) indica es ha he Session s1_copy is execu ed.
Simila ly o Lines 4 and 8, wi h he command s a _ es _ope a ion and
end_ es _ope a ion (a Lines 10 and 14, espec i ely), we wan o in e cep he
au ho iza ion_ esponse message om s1_copy wi hou d opping he HTTP
message, allowing he execu ion o he emaining use ac ions speci ied in s1_copy.
The commands s a _msg_ope a ion and end_msg_ope a ion (a Lines 11
and 13, espec i ely) eplace he alue o he code pa ame e in he URL wi h
ha in sa ed_code.
Lis ing 1.3: MIG-L es o T2 (ac i e).
1s a _ es (Code eplay a ack , The es in e cep s he code
in he au ho iza ion esponse and eplay i in ano he
au ho iza ion esponse , ac i e , {s1 , s1_copy },
inco ec low s1_copy ) $$ // ac i e es $$
2sa e ( s1_copy , ack [M0 , ML ], s1) $$ // copy all he use
ac ions om s1 o s1_copy$$
3s a ( s1 ) $$ // un s1$$
4s a _ es _ope a ion ( au ho iza ion_ esponse , s1 , d op ) $$ //
d op au ho iza ion_ esponse message gene a ed in s1 $$
5s a _msg_ope a ion () $$ // begin message ope a ion$$
6sa e_pa ame e ( code , sa ed_code , u l ) $$ // sa e pa ame e
code om u l and s o e i as sa ed_code$$
7end_msg_ope a ion () $$ // end message ope a ion$$
8end_ es _ope a ion () $$ // end es ope a ion$$
9s a ( s1_copy ) $$ // un s1_copy$$
10 s a _ es _ope a ion ( au ho iza ion_ esponse , s1_copy ,
in e cep ) $$ // in e cep au ho iza ion_ esponse
message om s1_copy $$
11 s a _msg_ope a ion () $$ // begin message ope a ion$$
12 edi _pa ame e ( code , sa ed_code , u l ) $$ // edi code
pa ame e om u l wi h sa ed_code$$
13 end_msg_ope a ion () $$ // end message ope a ion$$
14 end_ es _ope a ion () $$ // end es ope a ion$$
15 end_ es () $$ // end o ac i e es $$
Wi h ou language, i is also possible o execu e mul iple es s simul aneously
using he same Session. Fo his, we ha e in oduced he abili y o de ine a es
sui e, which consis s o an objec comp ising a collec ion o es s, using he
command de ine_sui e. This command speci ies (i) name - he label assigned
o he sui e, and (ii) desc ip ion - he desc ip i e anno a ion alloca ed o i .
Once he es sui e is de ined, es s can be de ined.
Addi ionally, MIG-L can be used o gene a e es s o de ec ing o he ypes
o ulne abili ies (e.g., hose de ec able by uzzing). Al hough we do no u he
elabo a e on his poin , we men ion ha i is no di icul o speci y a es case
Ti le Supp essed Due o Excessi e Leng h 9
in MIG-L o de ec a ecen ly disclosed ulne abili y in a la gely used OAu h
deploymen ha , pai ed wi h c oss-si e sc ip ing (XSS) laws, enables accoun
akeo e s in mo e han a million websi es.11
5 IMPLEMENTATION
We ha e implemen ed ou app oach in Mic o-Id-Gym [5] by ex ending MIG-T,
a plugin o suppo pen es ing ac i i ies in IdM implemen a ions.
Based on he Bu p web p oxy,12 MIG-T o e s a comp ehensi e se o APIs o
in e ac wi h, including hose de ined in Sec ion OUR APPROACH. The h ee
APIs a ailable in MIG-T a e he B owse API, P oxy API, and Session API
and a e ins ances o hose depic ed in Figu e 2. The B owse API allows o he
au oma ed execu ion o use ac ions de ined in a Session. Fo example, i p o-
ides he d i e .ge (URL)me hod o open a speci ic URL in he b owse . The
P oxy API is used o in e cep and manipula e an HTTP Message. Fo ins ance,
he H pReques Response.ge Reques () me hod can e ie e in e cep ed mes-
sages. Finally, he Session API manages Session execu ions. Fo example, he
s a (Session)me hod c ea es a new h ead objec o un a speci ied Session.
6 USE CASES
We illus a e h ee applica ions o MIG-T ha highligh i s e sa ili y and e -
ec i eness by conduc ing he secu i y analysis in (S1) he SPID/CIE OIDC
deploymen in De elope s I alia, (S2) an OAu h deploymen o a PSD2 se ice,
and (S3) 48 pai s o SP-IdP suppo ing SSO-based Accoun Linking.
Fo all he expe imen s epo ed in he ollowing, we use JSON as a conc e e
syn ax o MIG-L as desc ibed in Sec ion TEST SPECIFICATION. The easons
unde lying his choice a e p ac ical, namely o simpli y he de elopmen o he
pa se and in e p e e o he language. We will soon implemen a pa se om
he syn ax p esen ed in his wo k o he JSON syn ax.
6.1 S1. SPID/CIE OIDC Deploymen in De elope s I alia
In he con ex o a long e m collabo a ion wi h he I alian Go e nmen P in ing
O ice and Min (Is i u o Polig a ico e Zecca dello S a o, IPZS), we con ibu ed
o he de elopmen o an ex ensi e co pus o compliance and secu i y es s o de-
ploymen s o he SPID/CIE OIDC,13 he na ional digi al iden i y solu ion based
on he OIDC s anda d and le e aging he I alian elec onic iden i y ca d (Ca a
d’Iden i à Ele onica, CIE). The collec ion o he es cases has been made a ail-
able on he Gi hub web si e (a h ps://gi hub.com/s bk/mig/ ee/mas e / es plans/spid-
cie-oidc/implemen a ions/spid-cie-oidc-django/inpu /mig- ) which o e s esou ces
11 h ps://sal .secu i y/blog/o e -1-million-websi es-a e-a - isk-o -sensi i e-
in o ma ion-leakage—xss-is-dead-long-li e-xss
12 h ps://po swigge .ne /bu p/documen a ion/desk op/ ools/p oxy
13 h ps://docs.i alia.i /i alia/spid/spid-cie-oidc-docs
16 And ea Bisegna, Ma eo Bi ussi, Robe o Ca bone, and Sil io Ranise
ano he dis inc i e ea u e o MIG-T. The column IdM is no e y ele an o
gene al pu pose ools and becomes c ucial o all hose in he emaining ca e-
go ies. By con as ing columns IdM wi h column Compl, i becomes clea ha
only 3 ou o 20 ools (i.e. no conside ing he 5 in Gene al pu pose) can e i y
compliance and checks o IdM ulne abili ies ( he Oau hTes e [14] canno pe -
o m ei he ac i i ies as i is only able o lag p o ocol execu ions ha de ia e
om hose speci ied in he OAu h RFC documen ). This means ha mos ools
a e ocused on jus one ac i i y be ween ulne abili y de ec ion and compliance
checking, con a y o MIG-T which na u ally suppo s bo h again because o i s
ex ended h ea model.
The columns Ac i e and Passi e clea ly show ha almos all ools suppo
jus one ype o es s wi h wo no able excep ions, namely he BRM Analyze [15]
(classi ied as OAu h/OIDC and SAML) ha suppo s none, as i equi es manual
inspec ions o he epo s p oduced om SSO p o ocol aces o de ec ulne a-
bili ies, and OAuch [11] ha suppo s bo h. As discussed abo e, MIG-T suppo s
bo h ypes o es s no only o OAu h/OIDC as OAuch bu also o SAML.
8 CONCLUSIONS
We p esen ed a decla a i e and au oma ed app oach o es he secu i y o IdM
p o ocols, which a e essen ial building blocks o secu ing online se ices and
whose deploymen s a e plagued by a consis en numbe o ulne abili ies de-
spi e a ious s anda diza ion e o s including SAML, OAu h, and OIDC. Ex-
pe imen s on eal deploymen s (including a na ional digi al iden i y sys em, a
PSD2 paymen se ice, and a numbe o SSOLinking solu ions in web appli-
ca ions) con i m ha au oma ion is c ucial o scalabili y and decla a i i y o
conside ing new ulne abili ies in a apidly e ol ing h ea landscape.
9 ACKNOWLEDGMENTS
This wo k has been pa ially unded by (i) he p ojec SERICS (PE00000014)
unde he MUR Na ional Reco e y and Resilience Plan unded by he Eu opean
Union — Nex Gene a ionEU, and (ii) he join labo a o y be ween Fondazione
B uno Kessle (FBK) and he I alian Go e nmen P in ing O ice and Min , I aly
(Is i u o Polig a ico e Zecca dello S a o, IPZS). The wo k o Sil io Ranise has
also been suppo ed by he I alian Minis y o Uni e si y’s PRIN 2022 p og am
unde he “Pos quan um Iden i ica ion and Enc yp ion P imi i es: Design and
Realiza ion (POINTER)” (2022M2JLF2) p ojec unded by he Eu opean Union
— Nex Gene a ionEU. We would like o hank he anonymous e iewe s o hei
aluable commen s ha help us o imp o e he quali y o he pape , and o Luca
Compagna and Alessand o Biasi o hei suppo and insigh s abou MIG-L.

Ti le Supp essed Due o Excessi e Leng h 17
Re e ences
1. A. Bisegna, M. Bi ussi, R. Ca bone, L. Compagna, A. Sudhodanan, and S. Ranise,
“CSRF-ing he SSO wa es: secu i y es ing o SSO-based accoun linking p ocess”,
2024 IEEE Eu opean symposium on secu i y and p i acy (Eu oS&P), 2024.
2. A. Bisegna, R. Ca bone, G. Pellizza i, and S. Ranise, “Mic o-Id-Gym: A Flexible
Tool o Pen es ing Iden i y Managemen P o ocols in he Wild and in he Labo a-
o y”, In In e na ional Wo kshop on Eme ging Technologies o Au ho iza ion and
Au hen ica ion (pp. 71-89). Cham: Sp inge In e na ional Publishing, 2020.
3. F. Yang, and S. Manoha an, “A secu i y analysis o he OAu h p o ocol”, 2013
IEEE Paci ic Rim Con e ence on Communica ions, Compu e s and Signal P ocess-
ing (PACRIM), 2013.
4. M.S. Toosa andani, N. Modi i, and M. A zali. “The isk assessmen and ea men
app oach in o de o p o ide LAN secu i y based on ISMS s anda d”, 2012 a Xi
p ep in a Xi :1301.1578, 2012.
5. A. Bisegna, R. Ca bone, I. Ma ini, V. Odo izzi, G. Pellizza i, and S. Ranise, “Mic o-
Id-Gym: Iden i y Managemen Wo kou s wi h Con aine -Based Mic ose ices”, In-
e na ional Jou nal o In o ma ion Secu i y and Cybe c ime 8, pp. 45–50, 2019.
6. A. Ca mel, “T a eling wi h OAu h - Accoun Takeo e on Booking.com”, 2023,
h ps://sal .secu i y/blog/ a eling-wi h-oau h-accoun - akeo e -on-booking-com.
7. N. Engelbe z, N. E inola, D. He ing, J. Somo o sky, V. Mladeno , and J. Schwenk,
“Secu i y Analysis o eIDAS– he C oss-Coun y Au hen ica ion Scheme in Eu ope”,
12 h USENIX Wo kshop on O ensi e Technologies (WOOT 18), 2018.
8. C. Mainka, J. Somo o sky, and J. Schwenk, “Pene a ion es ing ool o web se ices
secu i y”, 2012 IEEE Eigh h Wo ld Cong ess on Se ices, 2012.
9. V. P asad, and S. Shukla, “SAML Raide : A Bu p Sui e Ex ension o SAML Se-
cu i y Tes ing”, 2018 17 h IEEE In e na ional Con e ence On T us , Secu i y And
P i acy In Compu ing And Communica ions/12 h IEEE In e na ional Con e ence
On Big Da a Science And Enginee ing, 2018.
10. G. Bai, J. Lei, G. Meng, S. Sa hyana ayan Venka aman, P. Saxena, J. Sun, Y.
Liu, and J. Song Dong, “AUTHSCAN: Au oma ic Ex ac ion o Web Au hen ica ion
P o ocols om Implemen a ions”, P oceedings o he 20 h Annual Ne wo k and
Dis ibu ed Sys em Secu i y Symposium, 2013.
11. P. Philippae s, D. P eu enee s, and W. Joosen, “OAuch: Explo ing Secu i y Com-
pliance in he OAu h 2.0 Ecosys em”, P oceedings o he 25 h In e na ional Sym-
posium on Resea ch in A acks, In usions and De enses, 2022.
12. A. Bisegna, R. Ca bone, and S. Ranise, “Mic o-Id-Gym: A Flexible Tool o Pen-
es ing Iden i y Managemen P o ocols in he Wild and in he Labo a o y”, In
In e na ional Wo kshop on Eme ging Technologies o Au ho iza ion and Au hen-
ica ion, 2021.
13. A. Sudhodanan, R. Ca bone, L. Compagna, N. Dolgin, A. A mando, and U.
Mo elli, “La ge-scale analysis & de ec ion o au hen ica ion c oss-si e eques o g-
e ies”, 2017 IEEE Eu opean symposium on secu i y and p i acy (Eu oS&P), 2017.
14. R. Yang, G. Li, W. Cheong Lau, K. Zhang and P. Hu, “Model-based secu i y
es ing: An empi ical s udy on OAu h 2.0 implemen a ions”, P oceedings o he
11 h ACM on Asia Con e ence on Compu e and Communica ions Secu i y, 2016.
15. R. Wang, S. Chen and X. Wang, “Signing me on o you accoun s h ough Facebook
and Google: A a ic-guided secu i y s udy o comme cially deployed Single-Sign-
On web se ices”, 2012 IEEE Symposium on Secu i y and P i acy, 2012.