Download as PDF, PPTX
Securing SAML SSO from XSW attacks
- 1.
- 2. Security Internal.com Tharindu Edirisinghe GraduateResearcher/ PhD Student Open Source Contributor RaiderJava Encoder @thariyarox
- 3. What is SingleSign On (SSO) ?
- 4. Identity Provider (Office 365) Zoom Examplefor SSO Email Moodle (LMS) Timetable Service Providers (Replying Party Applications) Authentication Request Authentication Response Use Account
- 5. Identity Provider Zoom SAML inSSO Email Moodle (LMS) Timetable Service Providers (Replying Party Applications) SAML Authentication Request SAML Authentication Response Use Account
- 6.
- 7. Identity Provider SAML AuthenticationAttack Client Service Provider (Replying Party Application) SAML Authentication Request SAML Authentication Response Use Account JoanneResponse Assertion JoanneAdmin
- 8.
- 9.
- 10. Digital Signatures andSignature Verification Source: https://en.wikipedia.org/wiki/Electronic_signature#/media/File:Digital_Signature_diagram.svg Identity Provider needs to sign the responses Relying Party needs to verify the signature
- 11. Identity Provider Digitally SignedSAML Responses/Assertions Client Service Provider (Replying Party Application) SAML Authentication Request SAML Authentication Response Use Account JoanneResponse Assertion Sign the Response/Assertion Verify the signature of Response/Assertion Assertion Signature Response Signature
- 12. DEMO SAML Authentication Attack Preventionwith Digital Signatures
- 13. Structure of XMLSignature Source: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf
- 14.
- 23. Apache Tomcat Server (Port8080) WSO2 Identity Server (Port 9443) Web Browser (Uses Proxy Port 9090) BurpSuite (Port 9090) Travelocity.com Sample SAML Client Application SAML Identity Provider SAML Raider XSW DEMO Setup Modified SAML Raider : https://github.com/thariyarox/SAMLRaider/blob/NewAttacks/target/saml-raider-1.2.0-SNAPSHOT-jar-with-dependencies.jar
- 24.
- 25. Source: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf WSO2 SecurityAdvisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0104
- 26. Office 365 SAML ClientApp Salesforce Where it’s fixed? SAML Request SAML Response SAML Request SAML Response Fix for SAML Signature Validation Fix ???
- 27. XSW Prevention ? ●If the SAML client is implemented using a 3rd party library, check if it supports XSW prevention. (Eg: OpenSAML client library) ● If SAML assertion/response parsing is done with your implementation, add extra validations. (Eg: prevent multiple responses/assertions in the XML message) ● Conduct penetration testing for SAML authentication flows. Use standard tools or make your own one ! (https://github.com/thariyarox/SAMLRaider/tree/NewAttacks/target)
- 28.
- 29. XML Comments Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <AX="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > Both are logically equal
- 30. XML Comments inSignature? Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <A X="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > XML Transformation (Canonicalization) Transformed XML Generate XML Signature
- 31. exc-c14n#WithComments canonicalization Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <AX="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > XML Transformation (Canonicalization) Transformed XML Generate XML Signature <A X="1" Y="2">some text<!-- and a comment --></A> Two inputs will end up with different signatures XML Transformation (Canonicalization) Transformed XML <A X="1" Y="2">some text</A> Generate XML Signature
- 32. exc-c14n canonicalization Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <AX="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > XML Transformation (Canonicalization) Transformed XML Generate XML Signature < A Y="2" X="1" >some text</ A > Both inputs will end up with the same signature
- 33. XML Parser issueswith processing comments (exc-c14n) Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <A>first text<!-- comment -->second text</A> first text <!-- comment --> second text node_A.getText() What gets returned??
- 34. XML Parser issueswith processing comments (exc-c14n) Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <Username> phil <!-- comment --> lip </Username> phil <!-- comment --> lip node_A.getText() Returns first part of the text Victim Attacker’s username is phillip
- 35. XML Parser issueswith processing comments (exc-c14n) Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <Username> jo <!-- comment --> anne </Username> jo <!-- comment --> anne node_A.getText() Returns last part of the text Victim Attacker’s username is joanne
- 36.
- 37. XML Comments AttackPrevention ● Use exc-c14n#WithComments canonicalization algorithm. ● If exc-c14n is used, process the text of the XML node separately and remove the comment before extracting the node value. ● Use an XML processing library which is not vulnerable to the string tokenization issue when comments are present. (Eg: DOM parser, SAX parser)
- 38. Summary ● Single SignOn (SSO) ● SAML for SSO ● Digital Signatures ● XSW attacks on SAML ● Penetration testing SAML flows ● XML comments in signatures ● SAML attack prevention
- 39.