Automatic Scanning for SSO Vulnerabilities

SSOScan is a tool that can automatically check if your application has these vulnerabilities when integrating Facebook Single Sign-On (SSO).

Correctly integrating third-party services into web applications is challenging, and mistakes can have grave consequences when third-party services are used for security-critical tasks such as authentication and authorization. Developers often misunderstand integration requirements and make critical mistakes when integrating services such as single sign-on APIs. Since traditional programming techniques are hard to apply to programs running inside black-box web servers, we propose to detect vulnerabilities by probing behaviors of the system. This paper describes the design and implementation of SSOScan, an automatic vulnerability checker for applications using Facebook Single Sign-On (SSO) APIs. We used SSOScan to study the twenty thousand top-ranked websites for five SSO vulnerabilities. Of the 1660 sites in our study that employ Facebook SSO, over 20% were found to suffer from at least one serious vulnerability.

System Strcture


Vulnerabilities Checked by SSOScan


Yuchen Zhou and David Evans. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities in 23rd USENIX Security Symposium, San Diego, 20-22 August 2014.

Full paper (16 pages): [PDF]
Expanded tech report (18 pages): [PDF]

Source Code


Yuchen Zhou (University of Virginia; now at Palo Alto Networks)
David Evans (University of Virginia)