A brief set of slides covering the primer of SAML and the attack vectors associated with SAML. There are two major entities in SAML workflow - Service Provider & Identity Provider. In the slides I have covered attack vectors on Service Providers using SAML.
3. Introduction to SAML
1. Security Assertion Markup Language is an open standard for exchanging authentication and
authorization data between parties, in particular, between an identity provider and a service
provider.
2. SAML is an XML-based markup language for security assertions (statements that service
providers use to make access-control decisions)
3. There are three main entities in SAML authentication process.
a. User
b. Identity Provider (IdP)
c. Service Provider (SP)
7. Why SAML matters?
● 90% of companies rely on Active Directory Federation Services
(ADFS) & a large number of them will be using Single Sign On for
authorization
● More & more companies are moving from regular
username/password combinations to centralized authentication
& authorization
● SSO implementations are often overlooked and assumed that it
is safe by default for use
● A small misconfiguration can lead to large vulnerabilities
● Often with SSO, there is no need for 2FA/MFA
8. Implications of broken SAML
● Account takeover - ability to login as anyone
● Privilege escalation - lateral movement towards high privileged
users
● Data dump from application
● Arbitrary File Read abilities with XML External Entity (XXE)
injection & in worst case, Remote Code Execution (RCE)
10. SAML workflow
● SAML response are base64 encoded
● SAML is implemented in XML, hence decoded response contains XML
payload
● Assertion - contains information about user such as name, email,
username, permissions, privileges or any relevant identifier used by
application
● Signature enforces the trust between Service Provider & Identity
Provider through MetaData
● One thing to keep in mind - SAML response from IdP contains NotBefore
and NotOnOrAfter which by default is limited to 60 seconds. This
implies that a SAML response is only valid for next 60 seconds from the
time it got issued.
11.
12. Common misconfigurations / mistakes
● Message Expiration
● Message Replay
● Missing Signature
● Invalid Signature
● SAML response from different IdP
● XML External Entity (XXE)
● Signature Wrapping
○ XSW1 - XSW8 (XML Signature Wrapping)