Guardians of the Clouds

Abstract

Many cloud-based services offer interfaces to Single Sign-On (SSO) systems. This helps companies and Internet users to keep control over their data: By using an Identity Provider (IdP), they are able to enforce various access control strategies (e.g., RBAC) on data processed in the cloud.On the other hand, IdPs provide a valuable single point of attack: If the IdP can be compromised, all cloud services are affected, including well-protected applications such as Google Apps and Salesforce. This increases the impact of the attack by several orders of magnitude.In this paper, we analyze the security of six real-world SAML-based IdPs (OneLogin, Okta, WSO2 Stratos, Cloudseal, SSOCircle, and Bitium) which are used to protect cloud services. We present a novel attack technique (ACS Spoofing), which allows the adversary to successfully impersonate the victim in four of these SSO systems. To complete our survey on IdP security, we additionally evaluated the security of these six IdPs against well-known web attacks, and we were successful against four of them. In summary, we were able to break all six SSO systems.We present a online penetration test tool, ACSScanner, which is able to detect ACS Spoofing vulnerabilities on arbitrary IdPs. Additionally, we discuss several countermeasures for each attack type, ranging from simple whitelisting to the signing of authentication requests, and from anti-CSRF tokens and HTTP-Only cookies to cookie-TLS-bindings. We have implemented a combination of two advanced countermeasures.