Online citations, reference lists, and bibliographies.

A Tool For Supporting Developers In Analyzing The Security Of Web-Based Security Protocols

G. Pellegrino, L. Compagna, Thomas Morreggia
Published 2013 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Security protocols are specified in natural language, are highly-configurable, and may not match the internal requirements of the development company. As a result, developers may misunderstand the specifications, may not grasp the security implications of configurations, and may deviate from the specifications introducing flaws. However, none of the existing security testing techniques provides the features, scalability, and usability to support developers in assessing the security of protocol configurations and deviations. This paper presents a tool that leverages on existing design verification and security testing techniques, and extends them to support developers in analyzing security protocols. We used the tool for the analysis of prominent security protocols (i.e., SAML SSO, OpenID, OAuth2), and of six industrial-size implementations.
This paper references
Semi-Automatic Security Testing of Web Applications from a Secure Model
Matthias Büchler (2012)
SPaCIoS Secure Provision and Consumption in the Internet of Services, http://spacios
Pixy: a static analysis tool for detecting Web application vulnerabilities
N. Jovanovic (2006)
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners
A. Doupé (2010)
LTL model checking for security protocols
A. Armando (2009)
A Temporal Logic of Nested Calls and Returns
R. Alur (2004)
Finite-state analysis of two contract signing protocols
Vitaly Shmatikov (2002)
AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Guangdong Bai (2013)
The Open-Source Fixed-Point Model Checker for Symbolic Analysis of Security Protocols
S. Mödersheim (2009)
Detection of Intrusions and Malware, and Vulnerability Assessment
Roland Büschkes (2008)
From Model-Checking to Automated Testing of Security Protocols: Bridging the Gap
Alessandro Armando (2012)
Automatic Security Analysis of SAML-Based Single Sign-On Protocols
Alessandro Armando (2011)
An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations
Alessandro Armando (2013)
Security Assertion Markup Language V2.0 Tech. Overview.
Oasis Consortium (2008)
The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures
A. Armando (2012)

This paper is referenced by
Semantic Scholar Logo Some data provided by SemanticScholar