scieee Science in your language
[en] (orig)

CSRFing the SSO Waves: Security Testing of SSO-Based Account Linking Process

Author: Bisegna, Andrea
Publisher: Zenodo
DOI: 10.1109/EuroSP60621.2024.00016
Source: https://zenodo.org/records/17675773/files/2024-1.pdf
CSRF-ing he SSO wa es: secu i y es ing o SSO-based accoun linking p ocess
And ea Bisegna
Cen e o Cybe secu i y,
Fondazione B uno Kessle
T en o, I aly
a.bise[email p o ec ed]
Ma eo Bi ussi
Cen e o Cybe secu i y,
Fondazione B uno Kessle
T en o, I aly
[email p o ec ed]
Robe o Ca bone
Cen e o Cybe secu i y,
Fondazione B uno Kessle
T en o, I aly
[email p o ec ed]
Luca Compagna
SAP Secu i y Resea ch
F ance
[email p o ec ed]
Sil io Ranise
Cen e o Cybe secu i y,
Fondazione B uno Kessle and
Depa men o Ma hema ics,
Uni e si y o T en o
T en o, I aly
[email p o ec ed]
A inash Sudhodanan
Independen Resea che
CA, USA
[email p o ec ed]
Abs ac —The Single Sign-On based accoun linking p ocess
(SSOLinking in sho ) allows use s o link hei accoun s a
Se ice P o ide (SP) websi es o hei Iden i y P o ide s
(IdP) accoun s. We ocus on a se ious (and o e looked)
a ack, namely an Accoun Hijack a ge ing he SSOLinking
and elying on wo CSRF ulne abili ies, one a ec ing he
IdP and he o he he SP. The o me is an Au hen ica ion
CSRF (also known as Login CSRF) and he la e is a CSRF
on he bu on igge ing he SSOLinking. We p opose a
secu i y es ing app oach o help es e s au oma ically de ec
such a acks. We implemen ed ou es ing echnique as an
ex ension (namely SSOLinking Checke ) o he open-sou ce
pene a ion es ing ool Mic o-Id-Gym. To demons a e he
e ec i eness o ou app oach and he pe asi eness o he
SSOLinking Accoun Hijack, we conduc ed an expe imen al
analysis agains a selec ion o popula SPs ha o e he
SSOLinking wi h majo IdPs. The esul s o ou expe imen s
a e ala ming: ou o he 648 web si es we conside ed, 48 qual-
i ied o conduc ing ou expe imen s and 21 o hese su e ed
om SSOLinking ulne abili y (i.e. 43.7%). Ou indings (we
esponsibly disclosed o he a ec ed endo s) include se e e
ulne abili ies among he web si es o Good eads, Na e ,
Wo kable, e c.
1. In oduc ion
Mo e and mo e websi es en ich hei s anda d au hen-
ica ion p ocesses wi h Single Sign-On (SSO) o smoo hly
sign-in use s ia popula Iden i y P o ide s (IdPs) like
Facebook and Google. Ensu ing he secu i y o hese SSO
p ocesses is hus pa amoun . A li le mis ake in hei
implemen a ion may in oduce a ulne abili y and jeop-
a dize he en i e au hen ica ion, some imes e en enabling
an a acke o ake comple e con ol o a ic im’s accoun
on a websi e.
Fo ins ance, C oss-Si e Reques Fo ge y (CSRF) [25]
is a ulne abili y ha enables a malicious websi e o
o ge s a e-changing HTTP eques s om a ic im’s web
b owse . CSRF has been known o mo e han 20 yea s
and has been demo ed and emo ed om he OWASP
Top 10 lis in 2017 [26], mainly because o he ollou
o amewo k suppo ed de enses [17]. Mo e ecen ly,
b owse endo s olled ou SameSi e cookies [24] and
Fe ch me ada a heade s [23] o u he e adica e CSRF
a acks. Howe e , mos o hese de enses a e buil o
ensu e session binding wi hin he wo k lows execu ed in a
single websi e and may no be e ec i e in SSO p ocesses
ha a e c oss-si e by cons uc ion. Fo ins ance, he ecen
SameSi e cookies solu ion, en o ced by majo b owse s
like Ch ome since 2020, aims o p e en ce ain cookies
om being sen along wi h c oss-si e eques s so o in al-
ida e hese eques s. Bu SSO p ocesses s ongly ely on
c oss-si e eques s and hus such a de ense, i no disabled
o he speci ic SSO ela ed cookies, would simply b eak
he execu ion o he SSO p ocesses. P o ec ing an SSO
p ocess agains CSRF equi es a ca e ul combina ion o
speci ic CSRF de enses buil o he SSO p ocess i sel
(e.g., he s a e pa ame e wi hin he OAu h 2.0 p o ocol
[21]) oge he wi h s anda d CSRF de enses p e en ing he
SSO p ocess om being unin en ionally execu ed.
In his pape , we demons a e ha CSRF is a om
being a sol ed p oblem o c oss-si e scena ios such as
hose implemen ed wi h SSO p ocesses. On he con a y,
we ad oca e he impo ance o (i) aising mo e awa eness
o CSRF issues in hese scena ios as well as (ii) designing
dynamic secu i y es ing echniques o suppo es e s in
de ec ing hese issues. In ou s udy, we ocus on he SSO-
based accoun linking p ocess (SSOLinking, in sho ) and
on an o e looked CSRF a ack ec o o SSO which was
in oduced by Rich Lundeen a he BlackHa con e ence
in 2013 [22].
SSOLinking allows use s o link hei accoun s a
Se ice P o ide (SP) websi es, o hei IdP accoun . This
enables hese use s o au hen ica e a SPs h ough an IdP
accoun , he eby elimina ing he need o main ain a sepa-
a e se o c eden ials o each SP. This added ad an age
encou ages SPs o suppo he SSOLinking p ocess. In
ac , ou expe imen s indica e ha a ound 13% o he op
200 SP websi es implemen ing he s anda d SSO login
also suppo SSOLinking.
The CSRF a ack ec o we ocus on in his pape
elies on wo di e en CSRF ulne abili ies, one a ec ing
he IdP and he o he he SP. The i s ulne abili y is an
Au hen ica ion CSRF [34]—whose well-known ins ance is
Login CSRF [5]—a he IdP. This ulne abili y enables an
a acke o au hen ica e a ic im in o an a acke -con olled
accoun a he IdP. The second one is a CSRF on he ac ion
ini ia ing he SSOLinking p ocess a he SP (he eina e
e e ed o as SSOLinking-Ini -CSRF). By combining bo h
ulne abili ies, an a acke can c a an exploi web page
ha au hen ica es he ic im o an a acke -con olled IdP
accoun and ini ia es he SSOLinking p ocess o connec
he a acke ’s IdP accoun o he ic im’s SP accoun .
Upon success ul exploi a ion, he a acke will be able o
au hen ica e o he ic im’s SP accoun by execu ing he
SSO login a he SP h ough he a acke ’s IdP accoun . By
doing so, he a ack leads o a comple e accoun hijacking,
g an ing he a acke ull con ol o e he ic im’s SP
accoun .
Ou analysis shows ha 43.7% o he SPs implemen -
ing he SSOLinking ea u e a e ulne able o SSOLinking-
Ini -CSRF. By combining he wo ulne abili ies, an a -
acke can execu e an accoun hijack o he ic im a he
SP. In his pape , as men ioned ea lie , we will e e o
his a ack as SSOLinking Accoun Hijack. Al hough his
a ack was discussed by Lundeen e al. in 2013 [22],
i was no conside ed in pas esea ch ha assessed he
implica ions o CSRF a acks on he SSOLinking p ocess
(e.g., [36], [19], [37], [34]). This may ha e led o he lack
o awa eness o his a ack.
We inspec he wo CSRF ulne abili ies and design
a es ing s a egy o de ec hem. Conside ing ha he
numbe o IdPs is signi ican ly less han ha o SPs, ha
a hand ul o e y popula IdPs is se ing he majo i y
o SPs [13], and ha IdPs a e qui e eluc an o ix
Au hen ica ion CSRF, we belie e i is no wo h o in es
on implemen ing an au oma ed es ing echnique o IdPs.
We a he op ed o es manually he ou mos popula
IdPs iden i ied in [13] agains Au hen ica ion CSRF and
ound ou ha h ee o hem a e ulne able.
Unde he assump ion ha IdPs may be ulne able o
Au hen ica ion CSRF, we de eloped an au oma ed es -
ing echnique o SSOLinking-Ini -CSRF. The echnique
elies on exis ing echnologies [8] ha we ex ended o
suppo ou es ing s a egy. The goal is o empowe a
es e a he SP, he pa y ha is impac ed by he accoun
hijack, wi h a secu i y es ing echnique o de ec he
issue a he SP side, wi hou equi ing s ong secu i y
expe ise. Indeed, he es e shall only p o ide a Selenium
sc ip ha execu es he SSOLinking p ocess wi h a spe-
ci ic IdP. W i ing his kind o sc ip s is common p ac ice
o web applica ions as hey ac as simple in eg a ion
es s, alida ing ha he p ocess execu es as expec ed.
Ou secu i y es ing echnique, which we implemen ed
in o he SSOLinking Checke p o o ype, uns and ob-
se es he execu ion o his sc ip and pe o ms addi ional
au oma ically-gene a ed es s in he backg ound o check
whe he he p ocess is ulne able. When a ulne abili y
is de ec ed, he SSOLinking Checke also gene a es an
HTML P oo -o -Concep (HTML POC) webpage ha al-
lows he es e o easily ep oduce he issue. This webpage
is used bo h by SSOLinking Checke o pe o m he a ack
and as a p oo o he SP o es i s se ice.
Fo each majo IdP, we selec 12 popula SPs ea u ing
he SSOLinking p ocess and un SSOLinking Checke
agains hem. The esul s a e qui e ala ming: 21 ou
o 48 selec ed unique pai s SP-IdP a e ulne able o
SSOLinking-Ini -CSRF. We epo ed ou indings o all
he a ec ed endo s. We a e s ill in e ac ing wi h some
endo s o cla i y he issues. Some o hem al eady con-
i med (and pa ched) he ulne abili y we epo ed and
we ecei ed some mone a y ewa ds in he con ex o bug
boun y p og ams.
These esul s con i m ou conjec u e conce ning he
lack o awa eness and he need o secu i y es ing
echniques, like hose implemen ed in he SSOLinking
Checke , o suppo es e s.
To summa ize, he con ibu ions o his pape a e as
ollows:
1) We p opose an app oach o assis a es e a he SP
o au oma ically de ec ulne abili ies enabling he
SSOLinking Accoun Hijack. We ha e implemen ed
ou app oach in o he SSOLinking Checke p o o-
ype, based on he Bu p Sui e [12].
2) We demons a e he e ec i eness o ou app oach and
he pe asi eness o he SSOLinking Accoun Hijack
by pe o ming an expe imen al analysis agains a
selec ion o popula websi es ha o e he SSO-
based accoun linking p ocess wi h majo IdPs (48
unique pai s SP-IdP).
3) We de ec ed and epo ed many CSRF ulne abili ies
on p ominen SPs and IdPs, enabling he SSOLinking
Accoun Hijack:
•3 majo IdPs (namely Google, Facebook and
LinkedIn) a e ulne able o Au hen ica ion CSRF;
•21 unique pai s SP-IdP (ou o 48 analyzed)
a e a ec ed by SSOLinking-Ini -CSRF, including
Good eads, Na e and Wo kable;
•We esponsibly disclosed ou indings and ecei ed
some mone a y ewa ds.
4) We no iced ha he la ge majo i y 19/21 o he
ulne able SPs had p o ec ed hei SSOLinking low
om he popula CSRF a ack in ol ing he absence
(o inco ec alida ion) o he OAu h 2.0 s a e
pa ame e . This inding indica es he impo ance o
s udies like ou s o sp ead awa eness o he SSOLink-
ing Accoun Hijack.
S uc u e o he pape . In Sec ion 2, we in oduce some
backg ound. In Sec ion 3 we discuss he SSOLinking
p ocess and he SSOLinking Accoun Hijack. Then, in
Sec ion 4, we p esen ou app oach o suppo SP es e s.
In Sec ion 5, we desc ibe he expe imen al analysis on
popula IdPs and SPs, by de ailing he da ase selec ion
p ocedu e, he me hodology we ollowed o he analysis
and he esul s. In Sec ion 6, we del e in o a ious mi iga-
ions o he p e en ion and de ec ion o he SSOLinking
Accoun Hijack. In Sec ion 7 and Sec ion 8, we p esen he
esponsible disclosu e p ocess and some limi a ions o ou
wo k, espec i ely. Sec ion 9 p esen s some ela ed wo k.
We conclude and o e iew u u e wo k in Sec ion 10.
2. Backg ound
This sec ion p o ides backg ound knowledge on a i-
ous ypes o CSRF a acks, widely-used de enses o p e-
en hem, he es ing amewo k we used, and obs acles
o es au oma ion.
2.1. CSRF A acks
The C oss-Si e-Reques -Fo ge y (CSRF) a ack is also
known as sea su o session iding a acks, aking ad an-
age o he inhe en s a elessness o he web o simula e
use ac ions om one websi e o ano he . Typically, CSRF
is used o pe o m ac ions on behal o he a acke using
he ic im’s au hen ica ed session. I a ic im is logged
in o a websi e, an a acke can compel he ic im’s b owse
o execu e ac ions on he same si e by sending a o ged
HTTP eques . In he con ex o his wo k, ou ocus is
on c oss-si es, as i in ol es wo en i ies. A success ul
CSRF a ack can be de imen al o bo h businesses and
use s, po en ially leading o unau ho ized und ans e s,
passwo d changes, iden i y he , da a he , and he he
o session cookies. In he pas , CSRF a acks we e hough
o only a ec s a e-changing ac ions caused by au hen i-
ca ed use s due o he assump ion ha only au hen ica ed
use s can pe o m high-impac ac ions, such as making
pu chases om one accoun o ano he .
In [5], Ba h e al. in oduced he concep o Login
CSRF, whe e an a acke icks a ic im’s b owse in o
sending an HTTP eques o he au hen ica ion endpoin
o a websi e wi h he a acke ’s c eden ials. As a esul , he
ic im ge s au hen ica ed as he a acke . In his scena io,
he a acke can moni o he ac ions pe o med by he
ic im on he ulne able websi e, allowing he a acke o
s eal sensi i e in o ma ion om he ic im. The au ho s
p o ided examples om Google and PayPal o illus a e
he impac o his a ack. Mo e ecen ly, se e al a ian s
o he Login CSRF a ack ha e been epo ed in he Single
Sign-On (SSO) domain [9], [3].
In [34], he au ho s classi ied CSRF a acks in o wo
ca ego ies: (i) Non-Au hen ica ed CSRF a acks, which do
no equi e he ic im o ha e an au hen ica ed session
wi h he ulne able websi e, and (ii) Au hen ica ed CSRF
a acks, which a e a ian s ha necessi a e he ic im o
ha e a alid au hen ica ed session.
2.2. De enses o CSRF
While he e a e many ways o de end websi es agains
CSRF a acks [20], ou p ima y app oaches s and ou :
oken-based, e ch me ada a-based, SameSi e cookies,
and use in e ac ion-based.
Token-Based. I helps a web si e o main ain ses-
sion in eg i y by using a sec e oken. The oken is a
unique, non-guessable alue, c yp og aphically bound o
he session iden i ie (e.g., using he Se -Cookie HTTP
heade ), ha is gene a ed by he se e -side applica ion
and ansmi ed o he b owse in such a way ha i is
included in all he HTTP eques made by he b owse .
In case he HTTP eques con ains a no alid oken, he
se e -side applica ion ejec s he eques . The usage o
CSRF okens can p e en CSRF a acks by making i
impossible o an a acke o build a ully alid HTTP
eques sui able o eeding o a ic im use . Since he
a acke canno de e mine o p edic he alue o a use ’s
CSRF oken, he a acke canno build a eques wi h all
he pa ame e s ha a e necessa y o he applica ion. In he
case o he SSO scena io and mo e speci ically in OAu h
2.0, he usage o he s a e pa ame e i seeded wi h a
secu e andom, should a oid CSRF a acks. As epo ed
in he OAu h 2.0 s anda d [21], he s a e pa ame e is
de ined as “an opaque alue used by he clien o main ain
s a e be ween he eques and callback. The au ho iza ion
se e includes his alue when edi ec ing he use -agen
back o he clien ”.
Fe ch Me ada a-Based. The Fe ch Me ada a eques
heade s s and as a cu ing-edge ad ancemen in web
pla o m secu i y, designed o equip se e s wi h po en
de enses agains c oss-o igin a acks. These heade s, de-
no ed as Sec-Fe ch-*, p o ide i al con ex ual da a
abou an HTTP eques , g an ing he ecei ing se e he
abili y o p oac i ely en o ce secu i y measu es be o e
handling he eques . This ea u e enables de elope s o
make in o med decisions abou whe he o app o e o
decline a eques , aking in o conside a ion i s o igin and
in ended scope. This me hodology gua an ees ha only
legi ima e eques s o igina ing om hei own applica ion
ecei e esponses, he eby bols e ing he o e all secu i y
pos u e. The e exis o he heade -based CSRF de enses
including Re e e and O igin heade alida ion (in e es ed
eade s can e e o [29], [5], [16], [34]).
SameSi e Cookies-Based. SameSi e is a cookie
a ibu e de ined in [14] ha enables se e s o speci y
whe he a cookie should be included in c oss-si e eques s.
I o e s h ee op ions: Lax,S ic , o None. When se o
S ic , he cookie is wi hheld om all c oss-si e eques s,
e en hose ini ia ed by egula links. On he o he hand, he
de aul Lax mode pe mi s cookies o egula links om
ex e nal sou ces bu es ic s hem o CSRF-p one eques
me hods like POST. Lax mode exclusi ely allows c oss-
si e eques s h ough op-le el na iga ion and sa e HTTP
me hods. Addi ionally, when se o None, i speci ies ha
he cookie should be sen in all con ex s.
Use In e ac ion. As p oposed in [3], his de ense
should ecognize whe he a eques in en ionally comes
om he use o no . To do so, i equi es in ol ing he
use in addi ional s eps be o e accep ing he eques . These
s eps could include asking he use o pe o m au hen i-
ca ion again, sol ing a cap cha, o eques ing consen a
he IdP side o e e y SSO eques . This ype o de ense
can e ec i ely p e en CSRF a acks bu may ha e a high
impac on he use expe ience.
2.3. Mic o-Id-Gym
Mic o-Id-Gym1(MIG) is an open sou ce ool [8]
used o assis sys em adminis a o s and es e s in he
deploymen and pen es ing o Iden i y Managemen p o-
ocol deploymen . In pa icula , he ool p o ides a plugin
o suppo pen es ing ac i i ies on SSO implemen a ions.
The pen es ing ool is based-on Bu p2web p oxy and
p o ides a good se o APIs o in e ac wi h. Howe e ,
as we del e in o ully au oma ed es ing, we encoun e
1. h ps://s . bk.eu/ ools/Mic o-Id-Gym.h ml
2. h ps://po swigge .ne /bu p
speci ic challenges, including dealing wi h obs acles such
as cap chas.
2.4. Obs acles o es au oma ion
In web applica ions ope a ing in p oduc ion en i on-
men s whe e cap chas a e en o ced, au oma ed UI es ing
can p esen signi ican challenges. This is pa icula ly
e iden when cap chas dis up au oma ed pene a ion es -
ing ac i i ies. The concep o cap chas inhe en ly clashes
wi h au oma ion, as i is p ima ily designed o p e en
au oma ed bo s om execu ing ac ions wi hin he appli-
ca ion. Simila ly, mul i- ac o au hen ica ion (MFA) o en
equi es use in ol emen , adding an ex a laye o com-
plexi y o au oma ed es ing. These a e common obs acles
aced in au oma ed es ing. While hese challenges may
exis wi hin p oduc ion sys ems, i is less likely ha hey
a e p esen in he es ing en i onmen s u ilized by so wa e
es e s a he SP. O he wise, hese sys ems would be no
e y es able. To wo k a ound hese issues, we manually
add ess hem, assuming ha es ing sys ems on hese
websi es do no ea u e he same au oma ion hu dles.
3. SSO-based Linking Accoun
The SSO-based accoun linking p ocess (SSOLinking,
in sho ) allows use s o link hei accoun s on a websi e
(SP) o an SSO accoun hey own a an IdP. As a con-
sequence, use s can log in on SP by le e aging popula
IdPs o he au hen ica ion, while keeping hei exis ing
p o iles on he SP. This ensu es a SSO expe ience, besides
he adi ional o m-based login.
Fou en i ies ake pa in he p o ocol: he use U,
con olling a web B owse , he SP and IdP. The main s eps
o he p o ocol a e epo ed in Figu e 1 and de ailed below.
(1-3) A i s , U logs in on he SP websi e, ob aining an
au hen ica ed session iden i ie on he SP websi e
(say cookie(U,SP)). The big a ows in Figu e 1
ep esen he mul iple s eps equi ed o he login
p ocess.
(4) U opens he SSOLinking page on SP, selec s he
p e e ed IdP and clicks on he accoun linking
bu on
(5) B owse sends an HTTP edi ec ion eques a SP
wi h cookie(U,SP)
(6-7) SP edi ec s B owse o he IdP
(8) IdP p o ides he cookie policy and asks o he
c eden ials
(9-10) U accep s he cookie policy and ypes he c eden-
ials
(11) IdP asks o he U’s consen o sha ing in o ma-
ion wi h SP o link he U accoun a SP wi h
he U accoun a IdP (e.g., he one epo ed in
Figu e 2)
(12-13) U p o ides he consen
(14-15) IdP edi ec s B owse o he SP making he use ’s
b owse send au hen ica ion da a o he use on
IdP (say code(U,IdP)) o he SP web si e.
(16) SP con i ms he linking o he U accoun a IdP,
iden i ied by code(U,IdP), wi h he U accoun a
SP, iden i ied by cookie(U,SP)
A he end o he p ocess, SP links he use ’s IdP accoun
wi h he exis ing use ’s SP accoun . This enables he use
o login ( ia SSO) o he SP accoun using he IdP accoun .
Two a ian s o he p o ocol a e possible. In case
B owse has an au hen ica ed session iden i ie on he IdP
web si e (say cookie(U,IdP)), in S ep 7, cookie(U,IdP) is
sen om B owse o IdP in he heade o he eques .
As a consequence, s eps 8-10 (ma ked wi h a ed dashed
ec angle in Figu e 1) a e no pe o med. Simila ly, in
case he consen has been al eady p o ided by he use
in a p e ious execu ion, hen s eps 11-13 (ma ked wi h a
blue do ed ec angle in Figu e 1) a e no pe o med.
Finally, wha is p esen ed he e is he classical p ocess,
bu he e may be a ian s in he implemen a ions on SPs.
Fo ins ance, some SPs may use cap cha and simila
mechanisms o u he p o ec he au hen ica ion phase.
Mo eo e , as we will de ail in Sec ion 5.3, in some SPs,
he accoun linking bu on does no igge a edi ec ion
eques o SP (i.e. s ep 5 o Figu e 1), bu a di ec eques
o IdP, gene a ed by using Ja aSc ip om he IdP lib a y
a he SP side.
3.1. SSOLinking Accoun Hijack
In his pape , we ocus on a se e e accoun hijack
(he ea e SSOLinking Accoun Hijack), epo ed in [22],
ha can be pe o med in he SSO-based accoun linking
depic ed in Figu e 1.
We conside a classical web a acke , which (i) own-
s/con ols a (malicious) websi e (a ack websi e), (ii) is
capable o o ge HTTP eques s om he ic im’s web
b owse (e.g., by making he ic im isi a link), and (iii)
c ea es accoun s a he a ge SP and he a ge IdP. In
addi ion, we assume ha he ic im use has an ac i e
session on SP (ob ained by au hen ica ing hemsel es a
he a ge SP h ough he adi ional o m-based login).
Then, we conside he ollowing assump ions on SP
and IdP:
(A1) IdP su e s om an Au hen ica ion CSRF ulne -
abili y (a.k.a. login-CSRF, i.e., due o a missing
CSRF p o ec ion, an a acke can o ce-login he
ic im o an a acke -con olled accoun on he
IdP) and,
(A2) IdP-seamless: IdP has he SSO low seamless
(i.e., no IdP in e ace is shown) i he use has
al eady logged in a he IdP. This means ha s eps
8-13 inside he ed and blue ec angles in Figu e 1
a e no pe o med.
(A3) SP su e s om a SSOLinking-Ini -CSRF ulne -
abili y, namely he accoun linking bu on a he
SP is ulne able o CSRF.
(A4) SP enables U o login ( ia SSO) using he IdP
accoun .
The s eps o ep oduce he a ack a e as ollows. The
a acke aplays he ole o U and execu es SSOLinking
(by using i s own c eden ials). In pa icula , i p o ides
he consen o link an accoun a SP wi h i s own accoun
a IdP (s ep 12). Then he a acke unlinks his IdP accoun
on his SP accoun .
The ic im —playing he ole o U and ha -
ing an ac i e session wi h he SP (i.e. B owse owns
cookie( ,SP))— isi s he malicious websi e owned by he
a acke and clicks on:
Figu e 1: The SSO-based accoun linking.
•a link (exploi ing he Au hen ica ion CSRF ulne a-
bili y a IdP and IdP-seamless) o be ( anspa en ly)
au hen ica ed in he IdP as he a acke a( hus, se ing
cookie(a,IdP) on B owse o );
•a link (exploi ing SSOLinking-Ini -CSRF ulne abil-
i y a SP) o send an HTTP edi ec ion eques o
SP. As a consequence, B owse au oma ically in-
cludes cookie( ,SP) (s ep 5, Figu e 1). Then, SP
edi ec s B owse o IdP (s ep 7) and B owse sends
cookie(a,IdP) o IdP ( a ian o s eps 8-10)
As a esul , he a acke aaccoun a IdP, iden i ied
by code(a,IdP), is linked wi h he ic im accoun a SP,
iden i ied by cookie( ,SP).
In case (A4) holds, namely SP enables U o login ia
SSO using he IdP accoun ( ha is he a acke accoun ),
he impac o his a ack is se e e because he a acke ’s
le el o access o SP is iden ical o he legi ima e use ’s.
The a ack esul s in a comple e accoun hijack, meaning
he a acke gains ull con ol o e he ic im’s accoun .
In addi ion, he a ack emains “in isible”: while
p epa ing he links, he a acke should p ope ly se he
alues o he a ge a ibu e (e.g., _blank), elling he
b owse o open he link on new ( iny) windows, which
may easily go unno iced by he use . Also, as e ealed by
ou analysis, usually SPs nei he no i y use s abou o he
de ices o ac i e sessions no allow use s o see all he
ac i e sessions.
3.2. Compa ison wi h ano he SSOLinking Ac-
coun Hijack
I is in e es ing o no e ha he e is a simila CSRF
a ack ec o on he SSOLinking, leading an a acke o
hijack he accoun o he ic im. This a ack is much
mo e s udied compa ed o he p e ious one ( o ins ance
desc ibed in A ack #10 in [34] and in [3]. The s eps
o ep oduce his a ack a e as ollows. The a acke a
plays he ole o U and execu es SSOLinking (by p o-
iding i s own c eden ials) un il s ep 14 o Figu e 1.
Then, ain e cep s he Au ho iza ion code esponse wi h
code(a,IdP) and o ces a ic im use (when he ic im
isi s an a acke -con olled websi e) o send i o SP.
Assuming ha has an ac i e session wi h SP, B owse
sends cookie( ,SP) o SP as well (c . s ep 15). As a esul ,
he accoun o aa IdP is linked wi h he accoun o
he ic im a SP. This is exac ly he same esul o
he a ack epo ed in Sec ion 3, bu his a ack exploi s
an inco ec CSRF p o ec ion in SSO callback endpoin s
(c . Sec ions 2.2 and 9), while he p e ious one exploi s
a missing CSRF p o ec ion in he SSO ini ia ion eques
(besides he Au hen ica ion CSRF a ec ing he IdP). The
need o CSRF p o ec ion in SSO callback endpoin s is
well-known and SSO p o ocols al eady o e solu ions o
ha (e.g., he s a e pa ame e in OAu h 2.0). On he
con a y, missing CSRF p o ec ion in he ini ial eques
o SSOLinking, leading o SSOLinking Accoun Hijack,
is unde s udied, as also poin ed ou by ou s udy.
4. Ou App oach
Exploi ing he SSOLinking Accoun Hijack p esen ed
in he p e ious sec ion elies hus on wo ulne abili-
ies: an Au hen ica ion CSRF on he IdP side and an
SSOLinking-Ini -CSRF on he SSO-based accoun linking
p ocess on he SP side. The Au hen ica ion CSRF has
been s udied in a ious wo ks [5], [34], [6] and many
o such ulne abili ies ha e been epo ed, also o IdPs.
Howe e , in mos o he cases he IdP op ed o no ix
such a ulne abili y o allow use s o make use o he one-
click login ea u e. I Au hen ica ion CSRF ulne abili ies
a e no ixed, hen in es ing u he e o in de eloping
es ing echniques o his is no so wo h. We alida ed

Figu e 2: Consen dialog shown by an IdP (Google) o
an SP (Good eads).
hese wo hypo hesis—(I1) IdPs end o be ulne able o
Au hen ica ion CSRF and (I2) IdPs end o be eluc an
o ix hese ulne abili ies—in a speci ic expe imen o e
he ou majo IdPs iden i ied in [13]. The esul s o his
expe imen a e de ailed in Sec ion 5.3.1 and con i m ou
hypo hesis.
The CSRF ulne abili ies unde lying ou a ack ec-
o , when analysed in isola ion wi hin one pa y’s (ei he
SP’s o IdP’s) bounda y, may be judged as less-c i ical.
Fo ins ance, an IdP may conside Au hen ica ion CSRF
ulne abili ies as low p io i y as he ic im will likely
no ice ha hey a e logged in a he w ong accoun .
Simila ly, he SP may conside SSOLinking-Ini -CSRF
as non-c i ical, as he IdP will show a consen dialog
(simila o he one shown in Figu e 2) and p e en he
SSO low om p oceeding ( o p e iously-unlinked IdP
accoun s). The unde es ima ion o hese ulne abili ies has
led o an in e es ing and dange ous scena io whe e IdPs
ha e been in oducing ea u es ha aid Au hen ica ion
CSRF and SPs ha e no been pa ching SSOLinking-Ini -
CSRF ulne abili ies. Fo ins ance, popula IdPs including
Facebook, Ins ag am, and LinkedIn ha e in oduced he
one-click login ea u e ha allows use s o login o hei
IdP accoun by isi ing a URL. These URLs a e ideal
payloads o Au hen ica ion CSRF a acks.
In ou app oach we hus assume ha websi es and,
mo e speci ically, IdPs can be ulne able o Au hen ica ion
CSRF. Unde his assump ion we design a es ing ech-
nique o de ec he SSOLinking Accoun Hijack on he
SP side. Manual es ing o his a ack equi es secu i y
expe ise, is e o -p one, and canno be e icien ly e-
pea ed on egula basis. In-line wi h CI/CD bes -p ac ices,
we belie e websi e de elope s conduc egula unc ional
eg ession es s, any ime changes a e implemen ed. Ou
ision is hus o empowe de elope s wi h au oma ed
secu i y es s upon he unc ional ones: de elope s c ea e a
unc ional es o SSOLinking, and SSOLinking Checke
can hen execu e he secu i y es s and accu a ely epo
ulne abili ies.
Figu e 3 p esen s ou app oach. The Tes e a he SP
p o ides as inpu a Selenium sc ip (s1) whose use ac ions
(e.g., click on a bu on) a e un o execu e SSOLinking.
The HTTP messages ( eques s and esponses) gene a ed
while execu ing he use ac ions a e collec ed by he P oxy
and e ie ed by ou checke ia he P oxy API. Nex , he
“A ack s eps in e ence” module in e s, om he execu ion
o (s1) and om he e ie ed HTTP messages, he a ack
s eps o be un o de ec he SSOLinking Accoun Hijack
a his speci ic SP. These a ack s eps a e sa ed as a new
Selenium sc ip (s2). Among he ac ions in (s2) some
ela e wi h he IdP used o SSOLinking. These a e c ea ed
by he “A ack s eps in e ence” module by means o he
“IdPs me ada a”, a li le da abase popula ed o line by us
wi h he me ada a o he majo IdPs and easily ex endible
o o he IdPs. Also, one o he ac ion in (s2) equi es an
HTML o m o send a speci ic c oss-si e HTTP eques
o he SP. This o m is gene a ed by he “HTML POC
Gene a o ” module. I he a ack s eps in (s2) a e all
success ully execu ed, hen he SP is epo ed ulne able
o he Tes e . Besides p esen ing he e dic o he a ack
(success ul o no ), he ou pu also comp ises a p oo -o -
concep o he a ack (i he a ack was success ul), and
a log ile wi h he en i e HTTP a ic. This in o ma ion
enables he Tes e o d ill-down in o he de ails o he es
as well as o ep oduce he a ack.
We p o ide he ea e mo e de ails abou he key
pa s o ou app oach and i s implemen a ion wi hin ou
SSOLinking Checke .
4.1. Inpu Selenium Sc ip
The inpu Selenium sc ip (s1) is jus a UI in eg a-
ion es ha es e s a e used o c ea e o web appli-
ca ions [32]. Indeed, (s1) jus comp ises he use ac-
ions o unc ionally execu e wi h he B owse he en i e
SSOLinking p ocess in an au oma ed way a any ime, so
o be ce ain he p ocess is wo king as expec ed. We
can decompose (s1) in 4 main pa s: Login a SP, Link
accoun s, Asse , and Unlink accoun s. Le us discuss each
one o hem, also p esen ing some eal examples.
Login a SP. This comp ises he use ac ions o login a
es ing use a he SP (c . s ep 1 in Figu e 1). We illus a e
an example o he Daily Mail websi e in Lis ings 1. The
Daily Mail login page is opened and he cookie policy
accep ed. Then email and passwo d a e illed-in and he
login bu on clicked.
1open | h ps://www.dailymail.co.uk/ egis a ion/login.h ml |//opens login page
2click | xpa h=/h ml/.../di /bu on[2] | //accep s he cookie policy
3click | xpa h=/h ml/.../di [2]/inpu | //clicks on email ex ield
4 ype | xpa h=/h ml/.../di [2]/inpu | [email p o ec ed] // ypes he email
5click | xpa h=/h ml/.../di [3]/inpu | //clicks on passwo d ex ield
6 ype | xpa h=/h ml/.../di [3]/inpu | 12345678 // ypes he passwo d
7click | xpa h=/h ml/.../di [5]/bu on | //clicks he login bu on
Lis ing 1: Login a SP - Daily Mail example.
Link accoun s. This includes he use ac ions o link he
es ing use accoun as au hen ica ed a he SP wi h he
one a he IdP (c . s eps 4, 9, and 12 in Figu e 1). We
con inue he example o he Daily Mail websi e (SP)
when linking accoun s wi h Twi e (IdP) in Lis ings 2.
The Selenium commands a e iden ical o he ones in he
p e ious lis ing and he commen s desc ibe each use
ac ion. No e, howe e , ha he c eden ials o a es ing
use a he IdP a e p o ided wi hin he ac ions and easily
e ie able in ou app oach. We use <email-idp> and
<passwo d-idp> o e e o hese e ie ed c eden-
ials.
1open | h ps://www.dailymail.co.uk/ egis a ion/p o ile/edi .h ml | //opens
accoun page
2click | xpa h=/h ml/.../li[1]/a | //clicks on Twi e link accoun bu on
(a) A chi ec u e (b) P ocess (c) Collec ion o
IdPs me ada a.
Figu e 3: High le el iew o ou app oach.
3click | xpa h=/h ml/.../bu on[2] | //accep s Twi e cookies
4click | id=email | //clicks on email ex ield
5 ype | id=email | [email p o ec ed] // ypes he email o use on IdP, <email-idp>
6click | id=pass | //clicks on passwo d ex ield
7 ype | id=pass | abcde gh // ypes he passwo d on IdP, <passwo d-idp>
8click | id=loginbu on | //clicks he login bu on
9click | xpa h=/h ml/.../di | //clicks o gi e consen o link accoun s
Lis ing 2: Link accoun s - Daily Mail wi h Twi e .
Asse . Now ha he linking be ween accoun s should
be done, he Tes e wan s o be su e his was comple ed
success ully. Asse ions p o ide an easy way o se he
expec a ions o he UI es . Lis ing 3 p esen s he asse -
ions o ou example on linking accoun s be ween Daily
Mail (SP) and Twi e (IdP). The idea is e y simple: he
accoun p o ile is accessed and he ac ha he linking
bu on wi h Twi e is no he e allows o de i e ha he
linking was al eady done.
1open | h ps://www.dailymail.co.uk/ egis a ion/p o ile/edi .h ml | // e-opens
accoun page o @asse ion pu poses
2asse no clickable | xpa h=/h ml/.../di /a | // e i ies he no a ailabili y
o he accoun linking bu on wi h Twi e
Lis ing 3: Asse - Daily Mail wi h Twi e .
Unlink accoun s. The Inpu Selenium Sc ip shall be
epea able, so o enable he Tes e o es he p ocess
any ime. To do so (s1) is comple ed wi h a ese p ocess o
unlink he accoun s. Indeed, i he accoun s s ay linked,
hen he p e ious pa s o he sc ip would simply ail.
Lis ing 4 comple es ou sc ip example and illus a es he
use ac ions o unlink he use accoun a Daily Mail om
he accoun on Twi e .
1open | h ps://www.dailymail.co.uk/ egis a ion/p o ile/edi .h ml | // e-opens
accoun page
2click | xpa h=/h ml/.../di /a | //clicks unlink accoun bu on o Twi e
3click | xpa h=/h ml/.../span/a[2] | //con i m o unlink he accoun s
Lis ing 4: Unlink accoun s - Daily Mail wi h Twi e .
4.2. IdPs me ada a
Ou app oach elies on a ew IdP- ela ed me ada a.
This is an o line ac i i y ha equi es li le e o and can
be sha ed among ew esea che s o collec me ada a o
many IdPs (c . Figu e 3-(c)).
1hos : wi e .com
2 edi ec : [/o/oau h2/au h]
3login:
4open | h ps://www. wi e .com | //access Twi e
5click | xpa h=/h ml/body/di [3]/.../bu on[2] | //clicks o au hen ica e
6click | id=email | //clicks on email ex ield
7 ype | id=email | <email-idp> // ypes he email
8click | id=pass | //clicks on passwo d ex ield
9 ype | id=pass | <passwo d-idp> // ypes he passwo d
10 click | id=loginbu on | //clicks he bu on
Lis ing 5: IdP me ada a - Twi e .
The p ocedu e o suppo new IdPs is s aigh o wa d
and amoun o append in he IdPs me ada a da abase h ee
IdP in o ma ion. These in o ma ion a e desc ibed he ea e
and a comple e example is p esen ed in Lis ing 5 o he
Twi e IdP.
(1) IdP Hos (hos ). Simply he hos o he IdP.
(2) IdP Redi ec ion Signa u e ( edi ec ). This is he
lis o pa e n signa u es ha ou app oach uses o de ec
he edi ec ion esponse ha he SP gene a es o each a
speci ic IdP hos . In mos o he cases, his me ada a en y
will be some hing like dialog/oau h. I is e e ed
as mac o <IdP_ edi ec ion> in lines 3 and 5 o
Lis ing 6.
(3) IdP Login (login). This comp ises he Selenium
ac ions o login a he IdP. I is e e ed as mac o
<IdP_login_ac > in Lis ing 6. The use c eden ials
a e no ha dcoded, bu hey a e a he speci ied as mac os.
We ecall ha ou app oach au oma ically ex ac s hem
om he “Link Accoun ” agmen o (s1).
4.3. In e he a ack s eps
While he Selenium sc ip (s1) is execu ed, he “A ack
s eps in e ence” module in e s he a ack s eps o be un
o de ec he SSOLinking Accoun Hijack a a speci ic
SP and sa es hem in a new Selenium sc ip (s2). The
in e ence elies on a new componen MIG-L ha we
in oduced o ex end he open-sou ce pla o m MIG [7].
MIG-L de ines a speci ica ion language we ex ended o
execu e es s in MIG whe e, e.g., new Selenium sc ip s can
be c ea ed and un on- he- ly by p ocessing he execu ion
o o he Selenium sc ip s.
1 un($s1) // uns Selenium sc ip (s1)
2// In e ence begin
3ma k($L,<IdP_ edi ec ion>)
4sa e_ac ([1,index($L)),$SP_login_ac )
5sa e_msg(<IdP_ edi ec ion>,$SP_acc)
6sa e_hos ($SP_acc, $IdP_hos )
7sa e_poc($SP_acc,$POC)
8ma k($A,con ains{asse , @asse ion})
9sa e_ac ($A,$SP_asse )
10 add($s2,$SP_login_ac )
11 add($s2,ge _idp_login($IdP_hos , <IdP_login_ac >))
12 add($s2,"open | h p://localhos /"+$POC)
13 add($s2,"click | id=SSOLinking")
14 add($s2,"wai | 2000")
15 add($s2,$SP_asse )
16 // In e ence end
17 un($s2) // uns Selenium sc ip (s2)
18 esul ($s2) //compu e he esul s: ulne able i (s2) success ully execu ed
Lis ing 6: Tes p ocedu e o SSOLinking Accoun Hijack
wi h in e ence p ocedu e.
Fo ins ance, Lis ing 6 is he p ocedu e w i en in
MIG-L o es he en i e SSOLinking Accoun Hijack a
any SP (commands a e p esen ed in ed, mac os in pu ple,
and commen s in blue).
The i s un command jus indica es ha he Sele-
nium sc ip (s1) is execu ed. Then, he in e ence p ocedu e
s a s and p oceeds as ollowing line by line:
Line 3. The in e ence p ocedu e obse es he HTTP
messages and ma ks wi h L he use ac ion o (s1) whose
co esponding HTTP messages comp ise he alue o he
mac o <IdP_ edi ec ion>. The mac o is ex ac ed
om he IdPs me ada a da abase.
Line 4. All he use ac ions in (s1) om he i s
ill he one ma ked wi h La e sa ed in o he a iable
$SP_login_ac . No e ha closing ound b acke indi-
ca es ha he ac ion ma ked wi h Lis excluded. All hese
ac ions cap u e he SP login ac i i y.
Lines 5-7. The i s HTTP message eques whose HTTP
esponse comp ises he mac o <IdP_ edi ec ion>
is sa ed in o a iable $SP_acc. The hos o which he
esponse is edi ec ed is sa ed in o $IdP_hos and
hen an HTML POC is gene a ed by he “HTML POC
Gene a o ” module. This HTML POC, whose ilepa h is
sa ed in o a iable $POC, enables la e on he sending
o a c oss-si e eques mimicking he o iginal one (mo e
de ails in Sec ion 4.4).
Lines 8-9. All use ac ions in (s1) ha con ain any o he
keywo ds asse o @asse ion as a commen a e
ma ked wi h Aand hen sa ed in a iable $SP_asse .
Lines 10-15. The new Selenium sc ip (s2) can now
be buil . Fi s , all he use ac ions ela ed o SP login
(sa ed in o $SP_login_ac ) a e added. Then, he use
ac ions ela ed o IdP login a e added. These a e sim-
ply ex ac ed om he IdP me ada a by selec ing he
igh IdP hos $IdP_hos . We e e o hese ac ions
as <IdP_login_ac >. Then h ee Selenium commands
a e also appended in o (s2): he i s will open he HTML
POC local page (no ice ha he pa h depends on $POC),
he second will un he c oss-si e eques , and he hi d
will jus add some wai ing ime o ensu e he eques
is p ope ly p ocessed. Las , bu no leas , he asse ions
collec ed in $SP_asse a e added o (s2).
Now ha he in e ence is comple ed and (s2) is c e-
a ed, he es p ocedu e simply p oceeds in unning (s2)
in line 17 and checking i s esul in line 18. I all he
Selenium ac ions in (s2) a e success ully execu ed, hen
he SP is ulne able (mo e de ails in Sec ion 4.5).
4.4. Gene a e he HTML POC
This module gene a es a p oo -o -concep o m able o
c a he p ope CSRF exploi o p obe he SSOLinking-
Ini -CSRF. In de ails, i c ea es a HTML page wi h a o m
o send he HTTP eques in $SP_acc p ope ly changed.
Indeed, acco ding o he HTTP me hod o $SP_acc, he
module builds he page and he HTML o m. In case o
a GET message, he o m makes a simple eques o he
speci ic URL, while o a POST message he con en - ype
and body a e added.
4.5. Ou pu
The ou pu o ou es ing app oach comp ises h ee
elemen s. The i s elemen is he es esul ha p o ides
he e dic whe he he a ack was success ul o no . I
all he use ac ions in (s1) and hose c ea ed o (s2)
a e success ully execu ed, hen he a ack is success ul.
I some use ac ions o (s2) we e unsuccess ul (e.g., an
unexpec ed page is displayed, an elemen which should
be clicked is no p esen in he page), hen he a ack is
unsuccess ul. The second elemen o he ou pu is he
HTML POC use ul o ep oduce he a ack (when he
a ack was epo ed). The las elemen is a log ile wi h all
he HTTP messages sa ed du ing he execu ion o he es .
The key o a oiding alse posi i es and alse nega i es is
by co ec ly de ining he Selenium asse ions ha de e -
mines success ul SSOLinking (see Sec ion 4.1). Ha ing
said ha , some es s may s ill ail because o ne wo k
p oblems, CAPTCHA challenges, and o he easons, bu
such occu ences a e de ec able wi hin ou app oach.
4.6. Implemen a ion
We implemen ed ou app oach in SSOLinking
Checke . I is as an ex ension o Mic o-Id-Gym [7]
p og ammed in Ja a and uses he API o he widely-
used pene a ion es ing ool Bu p o pe o m s anda d
p oxy engine ope a ions such as collec ing HTTP a ic
o sea ch o speci ic HTTP message, se ing p oxy ules
o al e he HTTP a ic, e c. To speci y he p ocedu e o
in e he a ack s eps, we used a JSON e sion o MIG-
L, which is an equi alen a ian cu en ly suppo ed by
MIG o he one desc ibed in Sec ion 4.3. The sou ce code,
ins alla ion guide and u o ial o ou p o o ype a e publicly
a ailable in [1].
5. Expe imen al analysis
We demons a ed he e ec i eness o ou app oach
and he pe asi eness o he SSOLinking Accoun Hijack
agains a selec ion o popula websi es ea u ing he SSO-
based accoun linking p ocess wi h majo IdPs (48 unique
pai s SP-IdP). In doing so, ou app oach disco e ed 21
ulne able unique pai s SP-IdP ou o he 48 analyzed.
In he es o his sec ion, we de ail he selec ion o he
majo IdPs and popula websi es (see Sec ion 5.1) ha
we used in ou expe imen s, he me hodology used o
ou expe imen s (see Sec ion 5.2), and he esul s ob ained
(see Sec ion 5.3).
5.1. Da ase selec ion
We selec ed 4 majo IdPs and o each o hem 12
SPs suppo ing he SSO-based accoun linking p ocess
and login ia SSO using he IdP accoun . Ou selec ion
le e ages he da ase eleased by [13] in 2018, whe e he
au ho s c awled he mos popula one million websi es o
in e whe he hey in eg a e he SSO login p ocess. This
is e y aluable in o ma ion o ou s udy as websi es ea-
u ing he SSO-based accoun linking p ocess a e clea ly
a subse o hose ha ing SSO login. E en i some o he
da a om [13] is clea ly ou da ed, his did no impac ou
s udy and we we e able o selec ou candida es easily.
Lis ing 7 epo s an example o an en y o he da ase
om [13]. Each en y speci ies in he ield sso which
IdPs ha websi e is using (i any). Fo his example,
wo kable.com is in e ed o ha e SSO login wi h
Google and LinkedIn IdPs.
1{ " ank": "4824"
2"u l": ["h ps://www.wo kable.com/signin",
3"h p://wo kable.com",
4"h ps://www.wo kable.com/signup",
5"h ps://www.wo kable.com/"],
6"sso": ["google", "linkedin"],
7" edi _ om": [] }
Lis ing 7: En y (exce p ) om [13].
Fo each IdP men ioned in he da ase we coun ed how
many websi es we e making usage o hem in he 2018
da ase and selec ed he 4 IdPs wi h he highes numbe
o occu ences. Table 1 p esen s he IdPs candida es and
he numbe o occu ences epo ed o each o hem.
The selec ed IdPs o ou expe imen al analysis a e hen
Facebook, Google, Twi e and Linkedin.
Fo each one o he selec ed IdPs, we hen p oceeded
in selec ing 12 SPs ha ing SSO-based accoun linking
wi h he IdP. We conside ed one by one he websi e
en ies in hei anking o de om he 2018 da ase o
which one o ou selec ed IdP occu ed. We manually
checked whe he he SSO-based accoun linking p ocess
was implemen ed by ha websi e wi h he IdP. As shown
in Table 2, we manually analyzed a co pus o 648 SPs o
disco e 67 websi es suppo ing he SSO-based accoun
linking p ocess wi h he selec ed IdPs. Among he 67 SPs,
we disca ded 19 websi es due o web issues ha occu ed
in he execu ion o he p ocess (14) and au oma ion de-
ec ion issues (5). Wi h web issues, we e e o issues in
he SP websi e ha leads o e.g., b oken pages and links
du ing he accoun linking o unlinking p ocesses. Fo
au oma ion de ec ion issues we mean hose SPs ha e.g.,
iden i y he use o Selenium lib a ies o au oma e b owse
ac ions as a bo issue, which denies access o he websi e.
The SPs selec ion p ocedu e is success ully inished by
ob aining 12 ully wo king SPs o each selec ed IdP.
Some o hese SPs a e used in ou da ase o mo e han
one IdP. Fo ins ance, sp4 occu s in ou da ase as pai ed
wi h Facebook, Google, and Twi e IdPs. In o al, we
es ed 48 SSOLinking p ocesses (i.e. unique pai s SP-IdP)
including 37 di e en SP websi es.
5.2. Me hodology
He e we desc ibe he me hodology we ollowed o
pe o m he expe imen s on ou selec ed da ase .
TABLE 1: IdP candida es.
IdP Name Occu ences
Facebook 43,333
Google 26,186
Twi e 12,465
LinkedIn 3,939
Amazon 1,459
Yahoo 1,924
TABLE 2: SPs selec ion pe IdP.
SPs pe IdP SPs wi h
SSOLinking
SPs wi h issues
Web Au om.
Facebook 61 18 4 2
Google 128 12 0 0
LinkedIn 371 24 9 3
Twi e 88 13 1 0
To al 648 67 14 5
Fi s o all, we ocused ou a en ion o alida e he
wo hypo hesis (I1) and (I2) we made in ou app oach
o IdPs (c . Sec ion 4). We manually analysed he ou
IdPs in ou da ase agains he Au hen ica ion CSRF and
disco e ed ha h ee o hem a e ulne able and ha hey
do no plan o ix he p oblem. Mo e de ails a e gi en in
Sec ion 5.3.1.
While analysing he IdPs we also collec ed he ew
IdPs me ada a equi ed o ou app oach (c . Lis ing 5)
which p o ides a conc e e example o he IdP me ada a
o Facebook. We make a ailable he o he IdPs me ada a
o Google, Twi e and LinkedIn in [1].
The las s ep in ou me hodology aims o e alua e
he pe asi eness o SSOLinking Accoun Hijack. In his
espec , we un ou SSOLinking Checke agains he 48
pai s o SPs and IdPs in ou da ase . Fo each pai o
SP and IdP, we played he ole o a es e a he SP and
we c ea ed he Selenium sc ip o execu e he SSO-based
accoun linking p ocess.
In doing so we manually pe o med he egis a ion
o use s on he SP websi es and we ollowed he s eps
desc ibed in ou app oach (see Sec ion 4). Fo he pu -
pose o he expe imen al analysis, namely o simpli y
he manual e o being able o inc ease he numbe o
analysed SPs, we conside ed he challenging op ion o
le e age s a e-o - he-a au oma ion ools o au oma ically
pe o m he egis a ion o he use s and he execu ion o
he SSOLinking o gene a ing he selenium sc ip . Ini-
ially, we explo ed Shephe d [15], a ool o basic websi e
au hen ica ion. Howe e , i lacked suppo o au oma ed
egis a ion and elied on c eden ials a ailable o leaked
on he web, ende ing i unsui able o ou expe imen s.
Ul ima ely, we expe imen ed wi h he xd i e -open [11],
a ool also designed o assis in websi e au hen ica ion bu
he ool was no success ul in comple ing egis a ions on
mos websi es in ou da ase [13].
All he sc ip s a e a ailable in [1]. Ou SSOLinking
Checke de ec ed he accoun hijack in almos 50% o
ou da ase . Mo e de ails a e gi en in Sec ion 5.3.2, while
esponsible disclosu es and con i ma ions om ulne able
SPs a e discussed in Sec ion 7. All in all, ou esul s
indica e ha his a ack may eally be o e looked by he
web communi y.
5.3. Resul s
We epo he e he esul s ob ained by ollowing he
expe imen s desc ibed in ou me hodology.
5.3.1. Manual es ing o he IdPs. We analysed manually
he ou IdPs in ou da ase o alida e ou wo hypo hesis:
(I1) IdPs end o be ulne able o Au hen ica ion CSRF;
[24] Mozilla. SameSi e cookies. h ps://de elope .mozilla.o g/en-US/
docs/Web/HTTP/Heade s/Se -Cookie/SameSi e.
[25] OWASP. C oss Si e Reques Fo ge y (CSRF). h ps://owasp.o g/
www-communi y/a acks/cs .
[26] OWASP. Wha changed om 2013 o 2017? h ps://owasp.o g/
www-p ojec - op- en/2017/Release No es.
[27] Gianca lo Pelleg ino and Da ide Balza o i. Towa d black-box
de ec ion o logic laws in web applica ions. In NDSS, olume 14,
pages 23–26, 2014.
[28] Vic o Le Pocha , Tom Van Goe hem, Samaneh Tajalizadehkhoob,
Maciej Ko czy´
nski, and Wou e Joosen. T anco: A esea ch-
o ien ed op si es anking ha dened agains manipula ion. a Xi
p ep in a Xi :1806.01156, 2018.
[29] Open Web Applica ion Secu i y P ojec . C oss-Si e Reques
Fo ge y P e en ion Chea Shee . h ps://chea shee se ies.owasp.
o g/chea shee s/C oss-Si e Reques Fo ge y P e en ion Chea
Shee .h ml.
[30] E han She nan, Hen y Ca e , Da e Tian, Pa ick T ayno , and
Ke in Bu le . Mo e Guidelines Than Rules: CSRF Vulne abili ies
om Noncomplian OAu h 2.0 Implemen a ions. In P oceedings o
he 12 h In e na ional Con e ence on De ec ion o In usions and
Malwa e, and Vulne abili y Assessmen - Volume 9148, DIMVA
2015, page 239–260, Be lin, Heidelbe g, 2015. Sp inge -Ve lag.
[31] Ma co Squa cina, Ped o Ad˜
ao, Lo enzo Ve onese, and Ma eo Ma -
ei. Cookie C umbles: B eaking and Fixing Web Session In eg i y.
In 32nd USENIX Secu i y Symposium (USENIX Secu i y 23),
pages 5539–5556, 2023.
[32] S is ee. Ge ing s a ed wi h Selenium: Guide o
au oma ed UI es ing. h ps://www.di ami.com/blog/
selenium-guide- o-au oma ed-ui- es ing/.
[33] A inash Sudhodanan, Alessand o A mando, Robe o Ca bone, and
Luca Compagna. A ack Pa e ns o Black-Box Secu i y Tes ing
o Mul i-Pa y Web Applica ions. In NDSS, 2016.
[34] A inash Sudhodanan, Robe o Ca bone, Luca Compagna, Nicolas
Dolgin, Alessand o A mando, and Umbe o Mo elli. La ge-scale
analysis & de ec ion o au hen ica ion c oss-si e eques o ge ies.
In 2017 IEEE Eu opean symposium on secu i y and p i acy
(Eu oS&P), pages 350–365. IEEE, 2017.
[35] San-Tsai Sun and Kons an in Beznoso . The de il is in he (im-
plemen a ion) de ails: an empi ical analysis o oau h sso sys ems.
In P oceedings o he 2012 ACM con e ence on Compu e and
communica ions secu i y, pages 378–390, 2012.
[36] Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadee , Da id E ans,
and Yu i Gu e ich. Explica ing SDKs: Unco e ing assump ions
unde lying secu e au hen ica ion and au ho iza ion. In 22nd
USENIX Secu i y Symposium (USENIX Secu i y 13), pages 399–
314, Washing on, D.C., Augus 2013. USENIX Associa ion.
[37] Ronghai Yang, Guanchen Li, Wing Cheong Lau, Kehuan Zhang,
and Pili Hu. Model-based secu i y es ing: An empi ical s udy
on oau h 2.0 implemen a ions. In P oceedings o he 11 h ACM
on Asia Con e ence on Compu e and Communica ions Secu i y,
ASIA CCS ’16, page 651–662, New Yo k, NY, USA, 2016. Asso-
cia ion o Compu ing Machine y.