Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
SSOScan is an automated vulnerability detection tool released by a security research team at the University of Virginia. It is designed to check whether Web applications have security flaws in their Facebook Single Sign-On integration. The broader context is that third-party authentication integrations are easy for developers to misunderstand; if authentication and authorization flows are implemented incorrectly, the security impact can be severe. This is not a traditional enterprise security platform, but rather a focused, research-oriented, open-source testing tool.
In terms of protection scope, SSOScan focuses on detecting vulnerabilities in SSO integrations. The documentation specifically states that it is used for the Facebook SSO API and checks for five categories of SSO vulnerabilities. Its approach does not rely on white-box code analysis; instead, it probes black-box Web server behavior to determine whether the implementation is flawed. This is valuable when testing websites where server-side code is not available. In the study, the team used it to analyze 20,000 high-ranking websites, of which 1,660 used Facebook SSO. More than 20% were found to have at least one serious vulnerability, showing that these issues are common in real-world deployments.
The page provides links to the paper and GitHub source code, but does not describe installation steps, runtime requirements, maintenance status, License, pricing, or commercial support. It can therefore be inferred that the tool is better suited to users with security testing and development capabilities who can deploy and validate it themselves, rather than being an out-of-the-box SaaS product. For management and alerting, the text does not mention a console, report templates, continuous scanning, or alert notifications. As for integrations, it can only be confirmed that the tool targets Facebook SSO applications; there is no information about CI/CD, SIEM, or ticketing system integrations.
Its strengths are a clearly defined research problem, a targeted methodology, validation through a USENIX Security 2014 paper, and large-scale website experiments. The open-source code also makes it easier to reproduce the research or build on top of it. Its limitations are the narrow scope: the text does not indicate support for general OAuth/OIDC scenarios or other identity providers such as Google or Microsoft. It also lacks information on enterprise operations capabilities, compliance certifications, and support services. SSOScan is best suited for academic research, targeted validation by security teams, or security regression testing by developers after integrating Facebook SSO.
The text does not provide information about access from China. Since Facebook-related services themselves may be affected by the network environment in mainland China, real-world testing may face instability due to external dependencies. Payment information is absent, and no commercial pricing is shown. If you need more general-purpose Web security testing, consider Burp Suite, OWASP ZAP, Nuclei, or dedicated OAuth/OIDC testing scripts. For domestic China scenarios, local identity sources and compliance requirements should also be evaluated first.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on ssoscan.org official site.
ssoscan.org is an United States Security provider. TG4G tracks its product information, an overall rating of 7.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach ssoscan.org directly.