The main goal of this thesis is the security evaluation of Single Sign-On IdPs. The thesis consists of three parts:
- Test Catalog: A test catalog summarizing all previous attacks and threats should be elaborated. For this purpose, a comprehensive study of the related work will be provided . The result of this task is a systematized overview of the existing threats targeting IdPs and a comprehensive security testing catalog.
- Test Environment: A test environment covering 3 USA, 3 European, and 3 Asian IdPs will be established. In addition, at least two clients will be registered and used during the evaluation. The setup for each IdP will be documented and security risks will be documented.
- Security Evaluation: Based on the security catalog, a comprehensive security evaluation of the selected IdPs will be provided. The results will be systematized and the core issues will be clarified. Finally, concrete countermeasures will be proposed and found vulnerabilities will be reported as part of the responsible disclosure.
The challenge for this thesis is a minimal security evaluation of GitHub acting as an IdP. The security evaluation covers the investigation of the client registration and the authentication request. Summarized, it covers the following aspects:
- …. documentation of the required parameters during the registration phase. The configuration of malformed values should be documented.
- …. creation of a minimal authentication request which will be processed by the IdP
- …. evaluation of changes on the parameter defining the destination where the tokens will be sent to
- …. evaluation of the parameter(s) defining the authorized resources
- Web Attacks
- Message-Level Security