Attacking Authentication Mechanisms
SAML Tools of the Trade & Vulnerability Prevention
After discussing multiple vulnerabilities in SAML implementations, let us discuss what tools we can use to simplify the vulnerability identification and exploitation process. Furthermore, we will briefly explore how to prevent SAML-based vulnerabilities.
Tools of the Trade
SAML Raider is an extension for BurpSuite that we can use to identify and exploit vulnerabilities in SAML implementations. We can install it from the BurpSuite App Store under Extensions > BApp Store.
After installing the extension, it automatically highlights requests containing SAML-related data in the HTTP proxy tab:
To explore more functionalities provided by SAML Raider, let us send the request sending the SAML response to the service provider to Burp Repeater. As we can see, SAML Raider adds a new tab to the request in Burp Repeater:
Clicking on the SAML Raider tab and then on SAML Message Info displays some general information about the SAML data as well as the decoded XML data at the bottom of the window:
In the SAML Attacks tab, we can exploit all vulnerabilities discussed in this module. We can execute a signature exclusion attack by clicking the Remove Signatures button. SAML Raider automatically removes the ds:Signature node from the SAML response. Furthermore, we can execute XXE and XSLT attacks, as well as all eight variants of signature wrapping attacks:
SAML Raider will adjust the SAML response accordingly and re-encode the XML data. All we have to do after selecting an attack in SAML Raider is to re-send the request in Burp Repeater. This simplifies vulnerability identification and exploitation greatly since we no longer have to decode and re-encode the SAML response XML data manually.
Vulnerability Prevention
To prevent vulnerabilities resulting from improper implementation of SAML, it is essential to use an established SAML library to handle any SAML-related operations, such as signature verification and extraction of authentication-related information from SAML assertions. If kept up-to-date, modern SAML libraries will be patched against the vulnerabilities discussed in the previous sections.
For more details on SAML Security, check out OWASP's SAML Security Cheat Sheet.
Table of Contents
Introduction to Authentication Mechanisms
Introduction to Authentication MechanismsJWTs
Introduction to JWTs Attacking Signature Verification Attacking the Signing Secret Algorithm Confusion Further JWT Attacks JWT Tools of the Trade & Vulnerability PreventionOAuth
Introduction to OAuth OAuth Lab Setup Stealing Access Tokens Improper CSRF Protection Additional OAuth Vulnerabilities OAuth Vulnerability PreventionSAML
Introduction to SAML SAML Lab Setup Signature Exclusion Attack Signature Wrapping Attack Additional SAML Vulnerabilities SAML Tools of the Trade & Vulnerability PreventionSkills Assessment
Skills AssessmentMy Workstation
OFFLINE
/ 1 spawns left
