SAML2

Attacks

XML Round Trips

• https://joonas.fi/2021/08/saml-is-insecure-by-design/

• https://mattermost.com/blog/securing-xml-implementations-across-the-web/

• basic idea: same XML is processed differently by different parties

XML Signature Wrapping Attacks

• https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf

• application logic and signature verification use different parts of the message

• attacker can thus inject custom content

• types

  • new root level element
  • adding addition assertions

• use extensions elements to alter the document

countermeasures

• https://arxiv.org/pdf/1401.7483v1.pdf

  • Always perform schema validation on the XML document prior to using it for any security-related purposes
  • use xpath to select elements
  • verify public keys

• https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf : 5.5

  • XML schema validation
  • extract assertions
  • verify what is signed
  • validate signature
  • assertion processing

XSLT-based Attacks

• XSLT transformation happens before the digital signature is processed for verification
• SAML Raider should be able to use this
• can we disable xslt for saml messages?

Signature Exclusion

• just remove the signature

XEE Attacks

Certificate Faking

References

• https://book.hacktricks.xyz/pentesting-web/saml-attacks/saml-basics
• https://book.hacktricks.xyz/pentesting-web/saml-attacks
• https://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
• https://www.w3.org/TR/xmlenc-core1/#sec-RSA-1_5
• https://www.w3.org/TR/xmldsig-bestpractices/
• https://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-Security