SlideShare a Scribd company logo

How to break SAML if I have paws?

G
GreenD0g

Overview of "how to hack SAML" from a security conference - KazHackStan https://kazhackstan.com/en/ In this talk, we will figure out how to break Single Sign On(SSO) based on SAML. Let's look at the components of SAML and the associated attack vectors, current vulnerabilities and methods of their exploitation. Everything a pentester needs to pohakat SAML without soiling the fur.

Software
1 of 42
Download to read offline
Суповой набор №5а. Как ломать SAML, если у меня лапки? How to hack SAML if I have paws? Aleksei “GreenDog” Tiurin
WHOAMI? - Security researcher - Invicti Security (Acunetix) - Зеленые лапки расслабленности t.me/greenrelaxpaws agrrrdog.blogspot.com github.com/GrrrDog/ Aleksei Tiurin GreenDog
SAML - Security Assertion Markup Language ● SSO ● Authentication and authorization ● Everywhere
SAML - Security Assertion Markup Language ● Very old standards (~2002-2005) ○ SAML 1.0 / 2.0 ● Based on ○ HTTP ○ XML ○ XML Schema ○ XML Digital Signature (XML DSig) ○ XML Encryption ● Complicated standards ○ Protocols/Bindings/Profiles ○ Full specs - hundreds of pages
“10 Years later” ● Old technologies -> old libs ○ xmlsec (java / c) ● Complex configurations ● Many Implementations https://en.wikipedia.org/wiki/SAML-based_products_and_services ● ZeroNights 2012 ● (almost) All the same attacks ^_^
Identity Provider (IdP) - where user creds are stored - Okta, OneLogin, PingIdentity, MS AAD, etc - OpenAM, Keycloak, Oracle OAM, Shibboleth, etc Service Provider (SP) - an application that a user wants to access - … Jira, WordPress, AWS ...
- One IdP - many SPs - Corporate SSO - One SP - many IdPs - SaaS that needs to support multiple organizations
Flows - SP initiated - IdP initiated (from 4) SAML Request SAML Response
SAMLRequest - From SP toIdP - Redirect Binding (GET) / POST Binding (HTML Form) - Base64
SAMLResponse - From IdP to SP - POST Binding HTML form - Base64 + Deflate
SAMLResponse - Signed Response - Signed Assertion - Both
How does the signature work?
Situations: - Anonymous attacks - A user in IdP - Malicious SP - Malicious IdP Core tool - SAML Raider extension in Burp
Anonymous attacks 1. SAMLRequest - Detect that SAML is used 2. From SAMLRequest - Issuer (IdP) - AssertionConsumerServiceURL (ACS) - where SP expects SAMLResponse - SP’s SAML lib name - id generator - format, name, etc - Destination (IdP)
SAML Metadata - Configuration exchange for SP and IdP - Names, endpoints, certificates… - Signature, encryption, additional attributes… SP doesn’t expose it (usually) IdP: - know endpoints - oamfed/idp/metadata - from Destination - okta.com/app/appname/RND/sso/saml-> - okta.com/app/RND/sso/saml/metadata Now, we have almost everything to create a good SAMLResponse from nothing
Creating SAML Response - POST to ACS url - Known SAML schemas - Info from SAMLRequest - Destination - ACS url - InResponseTo - ID - Issue Timestamp - Issuer - From metadata - Both Response and Assertion - Subject / NameID - email? - Conditions - NotBefore + NotOnOrAfter - AudienceRestriction - ? - AuthnStatement - ? http://www.datypic.com/sc/saml2/e-samlp_Response.html http://www.datypic.com/sc/saml2/e-saml_Assertion.html
1. XML -> XXE (+XSD/NS injection?) - https://nvd.nist.gov/vuln/detail/CVE-2022-35741 2. XSS - Often show errors for debug - Before Sign check - Issuer, Destination, StatusCode, etc - using the created SAML Response - XSS payload -> every “field” - encode/CDATA Destination="><img/src/onerror=alert(1)>" SAML Response
Authentication bypass - Disabled sign check - common misconfig - No <Signature/> tag - no Sign check https://hackerone.com/reports/136169 - Complicated specifications - - nobody uses advanced features - Documentation (SP/IdP)? - NameID - email - Find a registered email? - Auto provisioning - Create SAML Response(s) - Try them - Error messages https://mishresec.wordpress.com/2017/10/13/uber-bug-bounty-gaining-access-to-an-inter nal-chat-system/
KeyInfo - Info about the key - ds:Signature - Self-Signed certificate SAML Response
Certificate faking for Authentication bypass - Take Certificate from Metadata - Import in SAML Raider - Sign the created SAML Response(s) - Incorrect certificate match - Trust KeyInfo certificate https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/#certificate-faking SAML Response
Dupe Key Confusion (.NET) - Alvaro Muñoz, Oleksandr Mirosh at BlackHat 2019 https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace.pdf - Better with a valid SAML Response SAML Response
Certificate validation to SSRF - Trust KeyInfo certificate - Certificate validation - SSRF in X509 cert - Michael Stepankin at BlackHat 2023 https://github.com/onhexgroup/Conferences/blob/main/Black%20Hat%20USA%202023%20slides/Michael %20Stepankin_mTLS%20When%20Certificate%20Authentication%20is%20Done%20Wrong.pdf - Java - AIA, SIA, CRL DP - Created SAML Response - Add KeyInfo with SSRF cert - Windows? .NET?
Reference dereferencing - Data location - URI - remote files (http, https, etc) - local files - (Blind) SSRF - Everywhere! - XML DSig - XML Enc - Metadata - … SAML Response
Reference dereferencing (XML DSig) - Reference https://github.com/IdentityPython/pysaml2/issues/510 - KeyInfo - Java xmlsec. SecureValidation bypass (CVE-2021-40690) https://blog.tint0.com/2021/09/pinging-xmlsec.html SAML Response
Reference dereferencing (XML Enc) - CipherReference - DataReference - + EncryptedKey -> KeyInfo
Transformations - XML “normalization” - Additional “preparations” - Base64 - XPath - XPath-Filter - XSLT (optional) - …
Base64 http://www.w3.org/2000/09/xmldsig#base64 - .NET XXE CVE-2022-34716 - Decode Reference + Parse XML - XXE inside https://bugs.chromium.org/p/project-zero/issues/detail?id=2313
XPath http://www.w3.org/TR/1999/REC-xpath-19991116 - Blind SSRF - Mix with Reference (xml files) - Error - Modified version of a payload for PingIdentity from https://blog.tint0.com/2021/09/pinging-xmlsec.html
XSLT http://www.w3.org/TR/1999/REC-xslt-19991116 - Java / Santuario (xmlsec) <= 1.4.1 (~ 2010) - via Xalan - RCE ManageEngine ServiceDesk CVE-2022-47966
xmlsec >= 1.4.2 - Secure-processing - true - Xalan CVE-2014-0107 < 2.7.2 - Arbitrary class instantiation https://blog.viettelcybersecurity.com/saml-show-stopper/
XSLT https://blog.viettelcybersecurity.com/saml-show-stopper/
How can we test dereference/transformations? - Acunetix - No manual tools - SAML Raider - no Algorithm - unparsed-text - XSLT 2.0 - it won’t detect CVE-2022-47966 (java xmlsec)
Attacks on IdP - Signed SAMLRequest (AuthnRequest) - SP->IdP - Redirect-POST -> POST-POST bindings - SAML protocol: LogoutRequest, etc - Metadata import (Malicious SP/IdP) - Same attack vectors
With creds / Malicious SP/IdP - Transformation after Sign check - Post-auth - “Malicious” SP/IdP - Generate a valid signature for arbitrary transformations - How? SAML Response
More attacks on IdP (w/ creds) ACSSpoofing Attack - Change SAMLRequest ACS url to an attacker’ server - Old https://web-in-security.blogspot.com/2015/04/on-security-of-saml-based-identity.html - is it string or url comparison? XML injection - SAMLRequest is not signed - Values from SAMLRequest reflected in SAMLResponse - copy as string - add new tags/attributes - correctly signed https://research.nccgroup.com/2021/03/29/saml-xml-injection/
Attacks on SP (w/ creds) - Sign check, Cert-related, etc - XSW (w/ SAML Raider) - XML parsing - Comment injection https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - ~ 2017 - admin@victim.com<!---->.attacker.pw - admin@victim.com vs admin@victim.com.attacker.pw - <? anything ?> - processing instructions inside XML - Much more - Logic vulnerabilities - “how to put things together” - very common
Session handling RelayState - State Preservation - URL - “Open Redirect” https://hackerone.com/reports/1923672 https://www.anitian.com/owning-saml/
Multitenant (1 SP - many IdPs) Don’t trust IdP - Auth based on SAML Response - Manipulate NameId, Issuer, ACS - Email from another tenant -> access IdP confusion https://hackerone.com/reports/976603 - IdP victim - “IdP1” - IdP attacker - “IdP1 ” (with a space at the end) - Sign check w/ victim’s IdP, log in to the attacker’s account
Recommendations - Don’t implement SAML “lib” yourself - Use 3rd party libs - Update libs systematically - Show a generic error - Disable unnecessary features - KeyInfo? XML Enc? - Be careful w/ metadata - Always pentest your SAML implementation in SP - Pentest your IdP if it’s not SaaS - Write me if you have any questions
Big thanks to the researchers of mentioned articles/white papers/tools
New cheat sheet about SAML? https://github.com/GrrrDog/ Зеленые лапки расслабленности https://t.me/greenrelaxpaws
How to break SAML if I have paws?

Recommended

Red Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx versionRed Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx versionBill Hagestad II
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Performance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabasePerformance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabaseTung Nguyen Thanh
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Azure Cosmos DB
Azure Cosmos DBAzure Cosmos DB
Azure Cosmos DBMohamed Tawfik
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Redis
RedisRedis
RedisDaeMyung Kang
 

Recommended

Red Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx versionRed Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx versionBill Hagestad II
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Performance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabasePerformance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabaseTung Nguyen Thanh
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Azure Cosmos DB
Azure Cosmos DBAzure Cosmos DB
Azure Cosmos DBMohamed Tawfik
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Redis
RedisRedis
RedisDaeMyung Kang
 
Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressKnoldus Inc.
 
CDN overview
CDN overviewCDN overview
CDN overviewYoohyun Kim
 
devops 2년차 이직 성공기.pptx
devops 2년차 이직 성공기.pptxdevops 2년차 이직 성공기.pptx
devops 2년차 이직 성공기.pptxByungho Lee
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Apache Solr-Webinar
Apache Solr-WebinarApache Solr-Webinar
Apache Solr-WebinarEdureka!
 
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지Changje Jeong
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
The Odoo JS Framework
The Odoo JS FrameworkThe Odoo JS Framework
The Odoo JS FrameworkOdoo
 
Fargate 를 이용한 ECS with VPC 1부
Fargate 를 이용한 ECS with VPC 1부Fargate 를 이용한 ECS with VPC 1부
Fargate 를 이용한 ECS with VPC 1부Hyun-Mook Choi
 
Working with deeply nested documents in Apache Solr
Working with deeply nested documents in Apache SolrWorking with deeply nested documents in Apache Solr
Working with deeply nested documents in Apache SolrAnshum Gupta
 
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis FirehoseStreaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis FirehoseAmazon Web Services
 
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020Amazon Web Services Korea
 
User Defined Aggregation in Apache Spark: A Love Story
User Defined Aggregation in Apache Spark: A Love StoryUser Defined Aggregation in Apache Spark: A Love Story
User Defined Aggregation in Apache Spark: A Love StoryDatabricks
 
Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴Amazon Web Services Korea
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
webservice scaling for newbie
webservice scaling for newbiewebservice scaling for newbie
webservice scaling for newbieDaeMyung Kang
 
Cache in API Gateway
Cache in API GatewayCache in API Gateway
Cache in API GatewayGilWon Oh
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to ElasticsearchRuslan Zavacky
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 

More Related Content

What's hot

Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressKnoldus Inc.
 
devops 2년차 이직 성공기.pptx
devops 2년차 이직 성공기.pptxdevops 2년차 이직 성공기.pptx
devops 2년차 이직 성공기.pptxByungho Lee
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Apache Solr-Webinar
Apache Solr-WebinarApache Solr-Webinar
Apache Solr-WebinarEdureka!
 
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지Changje Jeong
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
The Odoo JS Framework
The Odoo JS FrameworkThe Odoo JS Framework
The Odoo JS FrameworkOdoo
 
Fargate 를 이용한 ECS with VPC 1부
Fargate 를 이용한 ECS with VPC 1부Fargate 를 이용한 ECS with VPC 1부
Fargate 를 이용한 ECS with VPC 1부Hyun-Mook Choi
 
Working with deeply nested documents in Apache Solr
Working with deeply nested documents in Apache SolrWorking with deeply nested documents in Apache Solr
Working with deeply nested documents in Apache SolrAnshum Gupta
 
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis FirehoseStreaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis FirehoseAmazon Web Services
 
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020Amazon Web Services Korea
 
User Defined Aggregation in Apache Spark: A Love Story
User Defined Aggregation in Apache Spark: A Love StoryUser Defined Aggregation in Apache Spark: A Love Story
User Defined Aggregation in Apache Spark: A Love StoryDatabricks
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
webservice scaling for newbie
webservice scaling for newbiewebservice scaling for newbie
webservice scaling for newbieDaeMyung Kang
 
Cache in API Gateway
Cache in API GatewayCache in API Gateway
Cache in API GatewayGilWon Oh
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to ElasticsearchRuslan Zavacky
 

What's hot (20)

Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes Ingress
 
CDN overview
CDN overviewCDN overview
CDN overview
 
devops 2년차 이직 성공기.pptx
devops 2년차 이직 성공기.pptxdevops 2년차 이직 성공기.pptx
devops 2년차 이직 성공기.pptx
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Apache Solr-Webinar
Apache Solr-WebinarApache Solr-Webinar
Apache Solr-Webinar
 
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지
AWS를 활용하여 Daily Report 만들기 : 로그 수집부터 자동화된 분석까지
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
 
The Odoo JS Framework
The Odoo JS FrameworkThe Odoo JS Framework
The Odoo JS Framework
 
Fargate 를 이용한 ECS with VPC 1부
Fargate 를 이용한 ECS with VPC 1부Fargate 를 이용한 ECS with VPC 1부
Fargate 를 이용한 ECS with VPC 1부
 
Working with deeply nested documents in Apache Solr
Working with deeply nested documents in Apache SolrWorking with deeply nested documents in Apache Solr
Working with deeply nested documents in Apache Solr
 
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis FirehoseStreaming Data Analytics with Amazon Redshift and Kinesis Firehose
Streaming Data Analytics with Amazon Redshift and Kinesis Firehose
 
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020
AWS를 통한 데이터 분석 및 처리의 새로운 혁신 기법 - 김윤건, AWS사업개발 담당:: AWS Summit Online Korea 2020
 
User Defined Aggregation in Apache Spark: A Love Story
User Defined Aggregation in Apache Spark: A Love StoryUser Defined Aggregation in Apache Spark: A Love Story
User Defined Aggregation in Apache Spark: A Love Story
 
Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
 
webservice scaling for newbie
webservice scaling for newbiewebservice scaling for newbie
webservice scaling for newbie
 
Cache in API Gateway
Cache in API GatewayCache in API Gateway
Cache in API Gateway
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to Elasticsearch
 

Similar to How to break SAML if I have paws?

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypassTarachand Verma
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of TruthJoel W. King
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Seattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js WorkshopSeattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js WorkshopJimmy Guerrero
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaroundGet Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaroundDataGeekery
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoknaddison
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 

Similar to How to break SAML if I have paws? (20)

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypass
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Seattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js WorkshopSeattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js Workshop
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaroundGet Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicago
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Brakeman
BrakemanBrakeman
Brakeman
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Sails.js Intro
Sails.js IntroSails.js Intro
Sails.js Intro
 

Recently uploaded

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

Recently uploaded (20)

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 

How to break SAML if I have paws?

  • 1. Суповой набор №5а. Как ломать SAML, если у меня лапки? How to hack SAML if I have paws? Aleksei “GreenDog” Tiurin
  • 2. WHOAMI? - Security researcher - Invicti Security (Acunetix) - Зеленые лапки расслабленности t.me/greenrelaxpaws agrrrdog.blogspot.com github.com/GrrrDog/ Aleksei Tiurin GreenDog
  • 3. SAML - Security Assertion Markup Language ● SSO ● Authentication and authorization ● Everywhere
  • 4. SAML - Security Assertion Markup Language ● Very old standards (~2002-2005) ○ SAML 1.0 / 2.0 ● Based on ○ HTTP ○ XML ○ XML Schema ○ XML Digital Signature (XML DSig) ○ XML Encryption ● Complicated standards ○ Protocols/Bindings/Profiles ○ Full specs - hundreds of pages
  • 5. “10 Years later” ● Old technologies -> old libs ○ xmlsec (java / c) ● Complex configurations ● Many Implementations https://en.wikipedia.org/wiki/SAML-based_products_and_services ● ZeroNights 2012 ● (almost) All the same attacks ^_^
  • 6. Identity Provider (IdP) - where user creds are stored - Okta, OneLogin, PingIdentity, MS AAD, etc - OpenAM, Keycloak, Oracle OAM, Shibboleth, etc Service Provider (SP) - an application that a user wants to access - … Jira, WordPress, AWS ...
  • 7. - One IdP - many SPs - Corporate SSO - One SP - many IdPs - SaaS that needs to support multiple organizations
  • 8. Flows - SP initiated - IdP initiated (from 4) SAML Request SAML Response
  • 9. SAMLRequest - From SP toIdP - Redirect Binding (GET) / POST Binding (HTML Form) - Base64
  • 10. SAMLResponse - From IdP to SP - POST Binding HTML form - Base64 + Deflate
  • 11. SAMLResponse - Signed Response - Signed Assertion - Both
  • 12. How does the signature work?
  • 13. Situations: - Anonymous attacks - A user in IdP - Malicious SP - Malicious IdP Core tool - SAML Raider extension in Burp
  • 14. Anonymous attacks 1. SAMLRequest - Detect that SAML is used 2. From SAMLRequest - Issuer (IdP) - AssertionConsumerServiceURL (ACS) - where SP expects SAMLResponse - SP’s SAML lib name - id generator - format, name, etc - Destination (IdP)
  • 15. SAML Metadata - Configuration exchange for SP and IdP - Names, endpoints, certificates… - Signature, encryption, additional attributes… SP doesn’t expose it (usually) IdP: - know endpoints - oamfed/idp/metadata - from Destination - okta.com/app/appname/RND/sso/saml-> - okta.com/app/RND/sso/saml/metadata Now, we have almost everything to create a good SAMLResponse from nothing
  • 16. Creating SAML Response - POST to ACS url - Known SAML schemas - Info from SAMLRequest - Destination - ACS url - InResponseTo - ID - Issue Timestamp - Issuer - From metadata - Both Response and Assertion - Subject / NameID - email? - Conditions - NotBefore + NotOnOrAfter - AudienceRestriction - ? - AuthnStatement - ? http://www.datypic.com/sc/saml2/e-samlp_Response.html http://www.datypic.com/sc/saml2/e-saml_Assertion.html
  • 17. 1. XML -> XXE (+XSD/NS injection?) - https://nvd.nist.gov/vuln/detail/CVE-2022-35741 2. XSS - Often show errors for debug - Before Sign check - Issuer, Destination, StatusCode, etc - using the created SAML Response - XSS payload -> every “field” - encode/CDATA Destination="&gt;&lt;img/src/onerror=alert(1)&gt;" SAML Response
  • 18. Authentication bypass - Disabled sign check - common misconfig - No <Signature/> tag - no Sign check https://hackerone.com/reports/136169 - Complicated specifications - - nobody uses advanced features - Documentation (SP/IdP)? - NameID - email - Find a registered email? - Auto provisioning - Create SAML Response(s) - Try them - Error messages https://mishresec.wordpress.com/2017/10/13/uber-bug-bounty-gaining-access-to-an-inter nal-chat-system/
  • 19. KeyInfo - Info about the key - ds:Signature - Self-Signed certificate SAML Response
  • 20. Certificate faking for Authentication bypass - Take Certificate from Metadata - Import in SAML Raider - Sign the created SAML Response(s) - Incorrect certificate match - Trust KeyInfo certificate https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/#certificate-faking SAML Response
  • 21. Dupe Key Confusion (.NET) - Alvaro Muñoz, Oleksandr Mirosh at BlackHat 2019 https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace.pdf - Better with a valid SAML Response SAML Response
  • 22. Certificate validation to SSRF - Trust KeyInfo certificate - Certificate validation - SSRF in X509 cert - Michael Stepankin at BlackHat 2023 https://github.com/onhexgroup/Conferences/blob/main/Black%20Hat%20USA%202023%20slides/Michael %20Stepankin_mTLS%20When%20Certificate%20Authentication%20is%20Done%20Wrong.pdf - Java - AIA, SIA, CRL DP - Created SAML Response - Add KeyInfo with SSRF cert - Windows? .NET?
  • 23. Reference dereferencing - Data location - URI - remote files (http, https, etc) - local files - (Blind) SSRF - Everywhere! - XML DSig - XML Enc - Metadata - … SAML Response
  • 24. Reference dereferencing (XML DSig) - Reference https://github.com/IdentityPython/pysaml2/issues/510 - KeyInfo - Java xmlsec. SecureValidation bypass (CVE-2021-40690) https://blog.tint0.com/2021/09/pinging-xmlsec.html SAML Response
  • 25. Reference dereferencing (XML Enc) - CipherReference - DataReference - + EncryptedKey -> KeyInfo
  • 26. Transformations - XML “normalization” - Additional “preparations” - Base64 - XPath - XPath-Filter - XSLT (optional) - …
  • 27. Base64 http://www.w3.org/2000/09/xmldsig#base64 - .NET XXE CVE-2022-34716 - Decode Reference + Parse XML - XXE inside https://bugs.chromium.org/p/project-zero/issues/detail?id=2313
  • 28. XPath http://www.w3.org/TR/1999/REC-xpath-19991116 - Blind SSRF - Mix with Reference (xml files) - Error - Modified version of a payload for PingIdentity from https://blog.tint0.com/2021/09/pinging-xmlsec.html
  • 29. XSLT http://www.w3.org/TR/1999/REC-xslt-19991116 - Java / Santuario (xmlsec) <= 1.4.1 (~ 2010) - via Xalan - RCE ManageEngine ServiceDesk CVE-2022-47966
  • 30. xmlsec >= 1.4.2 - Secure-processing - true - Xalan CVE-2014-0107 < 2.7.2 - Arbitrary class instantiation https://blog.viettelcybersecurity.com/saml-show-stopper/
  • 32. How can we test dereference/transformations? - Acunetix - No manual tools - SAML Raider - no Algorithm - unparsed-text - XSLT 2.0 - it won’t detect CVE-2022-47966 (java xmlsec)
  • 33. Attacks on IdP - Signed SAMLRequest (AuthnRequest) - SP->IdP - Redirect-POST -> POST-POST bindings - SAML protocol: LogoutRequest, etc - Metadata import (Malicious SP/IdP) - Same attack vectors
  • 34. With creds / Malicious SP/IdP - Transformation after Sign check - Post-auth - “Malicious” SP/IdP - Generate a valid signature for arbitrary transformations - How? SAML Response
  • 35. More attacks on IdP (w/ creds) ACSSpoofing Attack - Change SAMLRequest ACS url to an attacker’ server - Old https://web-in-security.blogspot.com/2015/04/on-security-of-saml-based-identity.html - is it string or url comparison? XML injection - SAMLRequest is not signed - Values from SAMLRequest reflected in SAMLResponse - copy as string - add new tags/attributes - correctly signed https://research.nccgroup.com/2021/03/29/saml-xml-injection/
  • 36. Attacks on SP (w/ creds) - Sign check, Cert-related, etc - XSW (w/ SAML Raider) - XML parsing - Comment injection https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - ~ 2017 - admin@victim.com<!---->.attacker.pw - admin@victim.com vs admin@victim.com.attacker.pw - <? anything ?> - processing instructions inside XML - Much more - Logic vulnerabilities - “how to put things together” - very common
  • 37. Session handling RelayState - State Preservation - URL - “Open Redirect” https://hackerone.com/reports/1923672 https://www.anitian.com/owning-saml/
  • 38. Multitenant (1 SP - many IdPs) Don’t trust IdP - Auth based on SAML Response - Manipulate NameId, Issuer, ACS - Email from another tenant -> access IdP confusion https://hackerone.com/reports/976603 - IdP victim - “IdP1” - IdP attacker - “IdP1 ” (with a space at the end) - Sign check w/ victim’s IdP, log in to the attacker’s account
  • 39. Recommendations - Don’t implement SAML “lib” yourself - Use 3rd party libs - Update libs systematically - Show a generic error - Disable unnecessary features - KeyInfo? XML Enc? - Be careful w/ metadata - Always pentest your SAML implementation in SP - Pentest your IdP if it’s not SaaS - Write me if you have any questions
  • 40. Big thanks to the researchers of mentioned articles/white papers/tools
  • 41. New cheat sheet about SAML? https://github.com/GrrrDog/ Зеленые лапки расслабленности https://t.me/greenrelaxpaws