AK
Uploaded byAmit Kumar
PDF, PPTX220 views

Attacking SSO (SAML) - Breaking into the front door of Authentication

The document discusses Security Assertion Markup Language (SAML), which is an open standard for exchanging authentication and authorization data between identity providers and service providers. It highlights the vulnerabilities associated with SAML and Single Sign-On (SSO) implementations, such as account takeover and privilege escalation, often due to misconfigurations. The text emphasizes the security implications of broken SAML workflows and common mistakes in SAML implementations.

Embed presentation

Download as PDF, PPTX
Attacking SSO/SAML : Breaking into the front door of authentication
# whoami Amit Kumar Security Engineer @ HappyFox | OSCP
Introduction to SAML 1. Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. 2. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions) 3. There are three main entities in SAML authentication process. a. User b. Identity Provider (IdP) c. Service Provider (SP)
SAML workflow
How SAML works?
Simpler real life example
Why SAML matters? ● 90% of companies rely on Active Directory Federation Services (ADFS) & a large number of them will be using Single Sign On for authorization ● More & more companies are moving from regular username/password combinations to centralized authentication & authorization ● SSO implementations are often overlooked and assumed that it is safe by default for use ● A small misconfiguration can lead to large vulnerabilities ● Often with SSO, there is no need for 2FA/MFA
Implications of broken SAML ● Account takeover - ability to login as anyone ● Privilege escalation - lateral movement towards high privileged users ● Data dump from application ● Arbitrary File Read abilities with XML External Entity (XXE) injection & in worst case, Remote Code Execution (RCE)
Broken SAML is as secure as →
SAML workflow ● SAML response are base64 encoded ● SAML is implemented in XML, hence decoded response contains XML payload ● Assertion - contains information about user such as name, email, username, permissions, privileges or any relevant identifier used by application ● Signature enforces the trust between Service Provider & Identity Provider through MetaData ● One thing to keep in mind - SAML response from IdP contains NotBefore and NotOnOrAfter which by default is limited to 60 seconds. This implies that a SAML response is only valid for next 60 seconds from the time it got issued.
Common misconfigurations / mistakes ● Message Expiration ● Message Replay ● Missing Signature ● Invalid Signature ● SAML response from different IdP ● XML External Entity (XXE) ● Signature Wrapping ○ XSW1 - XSW8 (XML Signature Wrapping)
Demo

More Related Content

PDF
A Guide to Multi Factor Authentication
byJack Forbes
 
PDF
Single sign on using SAML
byProgramming Talents
 
PPTX
Single Sign On Considerations
byVenkat Gattamaneni
 
PDF
Single Sign On - The Basics
byIshan A B Ambanwela
 
PPTX
Single sign on - SSO
byAjit Dadresa
 
PPTX
SINGLE SIGN-ON
byShambhavi Sahay
 
PDF
Single Sign On
byPing Identity
 
PPTX
SSO introduction
byAidy Tificate
 
A Guide to Multi Factor Authentication
byJack Forbes
 
Single sign on using SAML
byProgramming Talents
 
Single Sign On Considerations
byVenkat Gattamaneni
 
Single Sign On - The Basics
byIshan A B Ambanwela
 
Single sign on - SSO
byAjit Dadresa
 
SINGLE SIGN-ON
byShambhavi Sahay
 
Single Sign On
byPing Identity
 
SSO introduction
byAidy Tificate
 

What's hot

PPTX
Single Sign On 101
byMike Schwartz
 
DOC
Joomla web application development vulnerabilities
byBlazeDream Technologies Pvt Ltd
 
PPTX
Web Single sign on system
bySwati Sinha
 
PPTX
Single sign on - benefits, challenges and case study : iFour consultancy
byDevam Shah
 
PPTX
Enterprise single sign on
byArchit Sharma
 
PPT
SSO Strategy Implementation Considerations
byJohn Bauer
 
PPT
Single Sign On - Case Study
byEbizon
 
PPTX
Secure Code Warrior - Least privilege
bySecure Code Warrior
 
PDF
Secure Salesforce: CRUD / FLS / Sharing
bySalesforce Developers
 
PPTX
Identity & access management jonas syrstad
byMeandmine2
 
PDF
Setting up Security in Your Salesforce Instance
bySalesforce Developers
 
PDF
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
byArtur Barseghyan
 
Single Sign On 101
byMike Schwartz
 
Joomla web application development vulnerabilities
byBlazeDream Technologies Pvt Ltd
 
Web Single sign on system
bySwati Sinha
 
Single sign on - benefits, challenges and case study : iFour consultancy
byDevam Shah
 
Enterprise single sign on
byArchit Sharma
 
SSO Strategy Implementation Considerations
byJohn Bauer
 
Single Sign On - Case Study
byEbizon
 
Secure Code Warrior - Least privilege
bySecure Code Warrior
 
Secure Salesforce: CRUD / FLS / Sharing
bySalesforce Developers
 
Identity & access management jonas syrstad
byMeandmine2
 
Setting up Security in Your Salesforce Instance
bySalesforce Developers
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
byArtur Barseghyan
 

Similar to Attacking SSO (SAML) - Breaking into the front door of Authentication

PPTX
Introduction to SAML and how to create it by JoeSelian.pptx
byimcheaterid
 
PDF
SAML 101
byEchoworx
 
PDF
"Securing SSO Authentication: Strategies to eliminate vulnerabilities", Oleh ...
byFwdays
 
PPTX
Understanding SAML 2.0: Enhancing Secure Authentication
byNarendra Kadali
 
PDF
How to break SAML if I have paws?
byGreenD0g
 
PDF
Wp saml v2_rs_3_24_2015
byElaine Sun
 
PDF
White Paper: Saml as an SSO Standard for Customer Identity Management
byGigya
 
PDF
SAML Executive Overview
byPortalGuard
 
PDF
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
PDF
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
byCloudIDSummit
 
PPTX
Exploring SAML 2.0-based federation in AWS.pptx
byInfosectrain3
 
PPTX
Exploring SAML 2.0-based federation in AWS.pptx
byinfosec train
 
PDF
Saml authentication bypass
byTarachand Verma
 
PPT
Security and information assurance
bybdemchak
 
PPTX
IdP, SAML, OAuth
byDan Brinkmann
 
PDF
SAML
byLéopold Gault
 
PDF
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
byClément OUDOT
 
PDF
SAML Protocol Overview
byMike Schwartz
 
PPT
DIWD Concordia
byPaul Madsen
 
PPT
SAML.ppt
byssuser730061
 
Introduction to SAML and how to create it by JoeSelian.pptx
byimcheaterid
 
SAML 101
byEchoworx
 
"Securing SSO Authentication: Strategies to eliminate vulnerabilities", Oleh ...
byFwdays
 
Understanding SAML 2.0: Enhancing Secure Authentication
byNarendra Kadali
 
How to break SAML if I have paws?
byGreenD0g
 
Wp saml v2_rs_3_24_2015
byElaine Sun
 
White Paper: Saml as an SSO Standard for Customer Identity Management
byGigya
 
SAML Executive Overview
byPortalGuard
 
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
byCloudIDSummit
 
Exploring SAML 2.0-based federation in AWS.pptx
byInfosectrain3
 
Exploring SAML 2.0-based federation in AWS.pptx
byinfosec train
 
Saml authentication bypass
byTarachand Verma
 
Security and information assurance
bybdemchak
 
IdP, SAML, OAuth
byDan Brinkmann
 
SAML
byLéopold Gault
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
byClément OUDOT
 
SAML Protocol Overview
byMike Schwartz
 
DIWD Concordia
byPaul Madsen
 
SAML.ppt
byssuser730061
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
December Patch Tuesday
byIvanti
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
The year in review - MarvelClient in 2025
bypanagenda
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
December Patch Tuesday
byIvanti
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 

Attacking SSO (SAML) - Breaking into the front door of Authentication

  • 1.
    Attacking SSO/SAML : Breakinginto the front door of authentication
  • 2.
    # whoami Amit Kumar SecurityEngineer @ HappyFox | OSCP
  • 3.
    Introduction to SAML 1.Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. 2. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions) 3. There are three main entities in SAML authentication process. a. User b. Identity Provider (IdP) c. Service Provider (SP)
  • 4.
  • 5.
  • 6.
  • 7.
    Why SAML matters? ●90% of companies rely on Active Directory Federation Services (ADFS) & a large number of them will be using Single Sign On for authorization ● More & more companies are moving from regular username/password combinations to centralized authentication & authorization ● SSO implementations are often overlooked and assumed that it is safe by default for use ● A small misconfiguration can lead to large vulnerabilities ● Often with SSO, there is no need for 2FA/MFA
  • 8.
    Implications of brokenSAML ● Account takeover - ability to login as anyone ● Privilege escalation - lateral movement towards high privileged users ● Data dump from application ● Arbitrary File Read abilities with XML External Entity (XXE) injection & in worst case, Remote Code Execution (RCE)
  • 9.
    Broken SAML is assecure as →
  • 10.
    SAML workflow ● SAMLresponse are base64 encoded ● SAML is implemented in XML, hence decoded response contains XML payload ● Assertion - contains information about user such as name, email, username, permissions, privileges or any relevant identifier used by application ● Signature enforces the trust between Service Provider & Identity Provider through MetaData ● One thing to keep in mind - SAML response from IdP contains NotBefore and NotOnOrAfter which by default is limited to 60 seconds. This implies that a SAML response is only valid for next 60 seconds from the time it got issued.
  • 12.
    Common misconfigurations /mistakes ● Message Expiration ● Message Replay ● Missing Signature ● Invalid Signature ● SAML response from different IdP ● XML External Entity (XXE) ● Signature Wrapping ○ XSW1 - XSW8 (XML Signature Wrapping)
  • 13.