Need suggestion on SSO Integration Security testing - Appscan

[Anbuselvan]

Dear friends,

Can someone give idea on how to configure IBM Appscan to test for SSO application?

Also the possible vulnerability to look for in SSO integration.

The background is two application are integrated through SSO SAML token, so that login into parent application through SSO is just enough to access the integrated application.

Thanks & regards,

Anbu

[Taher Barodawala]

I can post a LMGTFY and make biased judgements about you, but before doing that, I'd like to know what have you already tried with Appscan ?

About SSO: 

1. http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf 

2. nullcon Goa 2014: O Dea Assertions Untwining the Security of the SAML protocol by Achin Kulshrestha -https://www.youtube.com/watch?v=HbwdTApYAoQ

3. On Breaking SAML: Be Whoever You Want to Be - https://www.youtube.com/watch?v=QLKM4USUlZs

4. http://cxf.apache.org/docs/saml-web-sso.html

Just trying to help. Cheers.

[Anbu Selvan]

Thanks for your response.

I am not an expert in Appscan,I tried the login sequence in appscan of both idp and sp application to check for SSO integration.

But i see the scan explores all the urls in both application.

I need to assess just the SSO integration part of the application.

Can you give idea on how to configure to scan and assess only SSO integration part?

Thanks.

[Rajesh A.]

App Scan scanning is based on URLs and Domain. So if u want to scan only few parts of an application then go for Automatic Explore Only Option and then remove unwanted URLs after that go for testing only drop down menu of the green scan button.

Other way is manually explore the application and during that time only go to the portion that u want to be tested.

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
Do you trust your hardware?
http://hardwear.io
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at http://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

[Mukesh Sharma]

For AppScan there is no difference between SSO application or any other web application. Just make sure to fixed userid and password in parameter and cookies. AppScan won't help you to find SSO integration vulnerability.

--