SAML Injection
Security Assertion Markup Language (SAML) is an open standard that allows security credentials to be shared by multiple computers across a network. When using SAML-based Single Sign-On (SSO), three distinct parties are involved. There is a user (the so-called principal), an IDentity Provider (IDP), and a cloud application Service Provider (SP). - centrify
Summary
Tools
Authentication Bypass
Invalid Signature
Signature Stripping
XML Signature Wrapping Attacks
XML Comment Handling
XML External Entity
Extensible Stylesheet Language Transformation
Tools
Authentication Bypass
A SAML Response should contain the <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
.
Invalid Signature
Signatures which are not signed by a real CA are prone to cloning. Ensure the signature is signed by a real CA. If the certificate is self-signed, you may be able to clone the certificate or create your own self-signed certificate to replace it.
Signature Stripping
[...]accepting unsigned SAML assertions is accepting a username without checking the password - @ilektrojohn
The goal is to forge a well formed SAML Assertion without signing it. For some default configurations if the signature section is omitted from a SAML response, then no signature verification is performed.
Example of SAML assertion where NameID=admin
without signature.
XML Signature Wrapping Attacks
XML Signature Wrapping (XSW) attack, some implementations check for a valid signature and match it to a valid assertion, but do not check for multiple assertions, multiple signatures, or behave differently depending on the order of assertions.
XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion within the existing Assertion.
XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.
In the following example, these terms are used.
FA: Forged Assertion
LA: Legitimate Assertion
LAS: Signature of the Legitimate Assertion
In the Github Enterprise vulnerability, this request would verify and create a sessions for Attacker
instead of Legitimate User
, even if FA
is not signed.
XML Comment Handling
A threat actor who already has authenticated access into a SSO system can authenticate as another user without that individual’s SSO password. This vulnerability has multiple CVE in the following libraries and products.
OneLogin - python-saml - CVE-2017-11427
OneLogin - ruby-saml - CVE-2017-11428
Clever - saml2-js - CVE-2017-11429
OmniAuth-SAML - CVE-2017-11430
Shibboleth - CVE-2018-0489
Duo Network Gateway - CVE-2018-7340
Researchers have noticed that if an attacker inserts a comment inside the username field in such a way that it breaks the username, the attacker might gain access to a legitimate user's account.
Where user@user.com
is the first part of the username, and .evil.com
is the second.
XML External Entity
An alternative exploitation would use XML entities
to bypass the signature verification, since the content will not change, except during XML parsing.
In the following example:
&s;
will resolve to the string"s"
&f1;
will resolve to the string"f1"
The SAML response is accepted by the service provider. Due to the vulnerability, the service provider application reports "taf" as the value of the "uid" attribute.
Extensible Stylesheet Language Transformation
An XSLT can be carried out by using the transform
element.
References
Last updated