Security Assertion Markup Language (SAML) was the de facto standard for implementing Single Sign On (SSO) before OAuth and OpenID Connect took over. SAML is still being used in many enterprise identity federation systems. Since SAML is based on XML messaging, it is vulnerable to XML based security vulnerabilities. During this session, we will be looking at XML signature wrapping attacks, penetration testing the SAML systems and securing your SAML solutions against known XML based vulnerabilities.
Presented at the event: https://www.meetup.com/Melbourne-Identity-and-Security-Meetup/events/269830019/
4. Identity Provider
(Office 365)
Zoom
Example for SSO
Email
Moodle (LMS)
Timetable
Service Providers
(Replying Party Applications)
Authentication Request
Authentication Response
Use Account
5. Identity Provider
Zoom
SAML in SSO
Email
Moodle (LMS)
Timetable
Service Providers
(Replying Party Applications)
SAML Authentication Request
SAML Authentication Response
Use Account
10. Digital Signatures and Signature Verification
Source: https://en.wikipedia.org/wiki/Electronic_signature#/media/File:Digital_Signature_diagram.svg
Identity
Provider
needs
to sign the
responses
Relying Party
needs to verify
the signature
11. Identity Provider
Digitally Signed SAML Responses/Assertions
Client
Service Provider
(Replying Party Application)
SAML Authentication Request
SAML Authentication Response
Use Account
JoanneResponse
Assertion
Sign the
Response/Assertion
Verify the signature of
Response/Assertion
Assertion
Signature
Response
Signature
27. XSW Prevention ?
● If the SAML client is implemented using a 3rd party library, check if it supports XSW
prevention. (Eg: OpenSAML client library)
● If SAML assertion/response parsing is done with your implementation, add extra
validations. (Eg: prevent multiple responses/assertions in the XML message)
● Conduct penetration testing for SAML authentication flows. Use standard tools or
make your own one ! (https://github.com/thariyarox/SAMLRaider/tree/NewAttacks/target)
30. XML Comments in Signature?
Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
<A X="1" Y="2">some text<!-- and a comment --></A>
< A Y="2" X="1" >some text</ A > XML Transformation
(Canonicalization)
Transformed XML
Generate XML Signature
33. XML Parser issues with processing
comments (exc-c14n)
Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
<A>first text<!-- comment -->second text</A>
first text
<!-- comment -->
second text
node_A.getText()
What gets returned??
34. XML Parser issues with processing
comments (exc-c14n)
Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
<Username> phil <!-- comment --> lip </Username>
phil
<!-- comment -->
lip
node_A.getText()
Returns first part of the text
Victim
Attacker’s username is phillip
35. XML Parser issues with processing
comments (exc-c14n)
Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
<Username> jo <!-- comment --> anne </Username>
jo
<!-- comment -->
anne
node_A.getText()
Returns last part of the text
Victim
Attacker’s username is joanne
37. XML Comments Attack Prevention
● Use exc-c14n#WithComments canonicalization algorithm.
● If exc-c14n is used, process the text of the XML node separately and remove the
comment before extracting the node value.
● Use an XML processing library which is not vulnerable to the string tokenization issue
when comments are present. (Eg: DOM parser, SAX parser)
38. Summary
● Single Sign On (SSO)
● SAML for SSO
● Digital Signatures
● XSW attacks on SAML
● Penetration testing SAML flows
● XML comments in signatures
● SAML attack prevention