| Presentation | 2023-11-17 Proposal for a Test Tool Enabling Programmatic Description of Test Scenarios in OpenID Connect Junki Yuasa, Taisho Sasada, Yuzo Taenaka, Youki Kadobayashi, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Single sign-on (SSO) is a mechanism that allows users to log in to multiple web services with single-user authentication, thereby reducing the burden of account management. However, in OpenID Connect (OIDC), the most widely used SSO protocol, vulnerabilities are not only caused by implementations that deviate from the OIDC specification but also by parts not defined in the specification, making vulnerability management difficult. In order to find such implementation vulnerabilities, several scenario-based testing tools have been proposed in existing studies. However, existing scenario-based testing tools lack customizability of scenarios and can only detect vulnerabilities caused by specification violations. Specifically, they are unable to verify implementation vulnerabilities that are not specified in the specifications, such as proprietary extensions, session management, and other implementation methods, and implementation vulnerabilities that are specific to the software being used. Since many such implementation vulnerabilities have been found in reality, it is necessary for OIDC testing tools to be able to detect such implementation vulnerabilities as described above. Therefore, in this study, we propose an OIDC testing tool that can detect implementation-related vulnerabilities by allowing test scenarios to be written programmatically in order to create customizable test scenarios. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Vulnerability Testing / Single Sign-On / OpenID Connect |
| Paper # | ICSS2023-66 |
| Date of Issue | 2023-11-09 (ICSS) |
| Conference Information | |
| Committee | ICSS |
|---|---|
| Conference Date | 2023/11/16(2days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | IT Business Plaza Musashi and Online |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | Security, etc. |
| Chair | Daisuke Inoue(NICT) |
| Vice Chair | Akira Yamada(Kobe Univ.) / Toshihiro Yamauchi(Okayama Univ.) |
| Secretary | Akira Yamada(Mitsubishi Electric) / Toshihiro Yamauchi(Univ. of Electro-Comm.) |
| Assistant | Yo Kanemoto(NTT) / Masaya Sato(Okayama Prefectural Univ.) |
| Paper Information | |
| Registration To | Technical Committee on Information and Communication System Security |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | Proposal for a Test Tool Enabling Programmatic Description of Test Scenarios in OpenID Connect |
| Sub Title (in English) | |
| Keyword(1) | Vulnerability Testing |
| Keyword(2) | Single Sign-On |
| Keyword(3) | OpenID Connect |
| 1st Author's Name | Junki Yuasa |
| 1st Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| 2nd Author's Name | Taisho Sasada |
| 2nd Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| 3rd Author's Name | Yuzo Taenaka |
| 3rd Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| 4th Author's Name | Youki Kadobayashi |
| 4th Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| Date | 2023-11-17 |
| Paper # | ICSS2023-66 |
| Volume (vol) | vol.123 |
| Number (no) | ICSS-269 |
| Page | pp.pp.108-113(ICSS), |
| #Pages | 6 |
| Date of Issue | 2023-11-09 (ICSS) |