A Tool for Supporting Developers in Analyzing the Security of Web-Based Security Protocols [chapter]

Giancarlo Pellegrino, Luca Compagna, Thomas Morreggia
2013 Lecture Notes in Computer Science  
Security protocols are specified in natural language, are highly-configurable, and may not match the internal requirements of the development company. As a result, developers may misunderstand the specifications, may not grasp the security implications of configurations, and may deviate from the specifications introducing flaws. However, none of the existing security testing techniques provides the features, scalability, and usability to support developers in assessing the security of protocol
more » ... onfigurations and deviations. This paper presents a tool that leverages on existing design verification and security testing techniques, and extends them to support developers in analyzing security protocols. We used the tool for the analysis of prominent security protocols (i.e., SAML SSO, OpenID, OAuth2), and of six industrial-size implementations.
doi:10.1007/978-3-642-41707-8_19 fatcat:t7i4lj7tlrak5ieqzjo7dyuhle