Your Software at my Service

Vladislav Mladenov, Christian Mainka, Florian Feldmann, Julian Krautwald, Jörg Schwenk

ACM CCSW 2014 in conjunction with the ACM Conference on Computer and Communications Security (CCS) November 7, 2014, The Scottsdale Plaza Resort, Scottsdale, Arizona, USA.


Software-as-a-Service (SaaS) is typically defined as a rental model for using a complex software product, running on a centralized computing platform, using a thin client (most frequently a web browser). As such, it is one of the major categories of Cloud Com- puting, besides IaaS and PaaS. While there are many economic benefits in using SaaS, each company must nevertheless enforce control over its own data pro- cessed in the Cloud. One of the most important building blocks of such an enforcement scheme is Identity Management (IdM), whereat the industry standard for IdM is SAML, the Security As- sertion Markup Language. In this paper, we study the security of the SAML implementa- tions of 22 SaaS Cloud Providers (SaaS-CPs) and show that 90% of them can be broken, resulting in company data exposure to at- tackers on the Internet. The detected vulnerabilities are exploited by a wide variety of attack techniques, ranging from classical web attacks to problems specific to XML processing.

The distributed document has been provided by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a noncommercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.


Tags: Authentication Security Flaws, Cloud Security, SAML, Software-as-a-Service (Saas)