Update publications

stfbk · Aug 26, 2024 · 1226a50 · 1226a50
1 parent fac6a52
commit 1226a50
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/_data/publications.yml b/_data/publications.yml
@@ -2097,17 +2097,20 @@
 
 ## 2024
 - id: EUROSP2024
-  title: "CSRF-ing the SSO waves: security testing of SSO-based account linking process"
+  title: "CSRFing the SSO Waves: Security Testing of SSO-Based Account Linking Process"
   authors:
     - AndreaBisegna
     - MatteoBitussi
     - RobertoCarbone
     - LucaCompagna
     - SilvioRanise
     - AvinashSudhodanan
-  abstract:
+  abstract: >
+    The Single Sign-On based account linking process (SSOLinking in short) allows users to link their accounts at Service Provider (SP) websites to their Identity Providers (IdP) accounts. We focus on a serious (and overlooked) attack, namely an Account Hijack targeting the SSOLinking and relying on two CSRF vulnerabilities, one affecting the IdP and the other the SP. The former is an Authentication CSRF (also known as Login CSRF) and the latter is a CSRF on the button triggering the SSOLinking. We propose a security testing approach to help testers automatically detect such attacks. We implemented our testing technique as an extension (namely SSOLinking Checker) to the open-source penetration testing tool Micro-Id-Gym. To demonstrate the effectiveness of our approach and the pervasiveness of the SSOLinking Account Hijack, we conducted an experimental analysis against a selection of popular SPs that offer the SSOLinking with major IdPs. The results of our experiments are alarming: out of the 648 web sites we considered, 48 qualified for conducting our experiments and 21 of these suffered from SSOLinking vulnerability (i.e. 43.7%). Our findings (we responsibly disclosed to the affected vendors) include severe vulnerabilities among the web sites of Goodreads, Naver, Workable, etc.
   destination: EUROSP2024
   year: 2024
+  doi: 10.1109/EuroSP60621.2024.00016
+  urlComplementary: https://st.fbk.eu/complementary/EuroSP2024
 
 - id: Ital-IA2024
   title: "A Risk-based Approach to Trustworthy AI Systems for Judicial Procedures"

diff --git a/_tools/Micro-Id-Gym.md b/_tools/Micro-Id-Gym.md
@@ -13,6 +13,7 @@ publications:
     - SecAssAPIFinancial_book_2020
     - DETIPS2020
     - ETAA2021_MIG
+    - EUROSP2024
 
 theses:
     - GiulioPellizzari_B

diff --git a/_topics/IdentityManagement.md b/_topics/IdentityManagement.md
@@ -31,6 +31,7 @@ publications:
     - TDSC2022
     - ARES2023
     - RACS2023
+    - EUROSP2024
 
 theses:
     - DamianoSartori_B