AppSec Tales X | SAML - Pentestmag

AppSec Tales X | SAML

(14 views)

AppSec Tales X | SAML

by Karol Mazurek


Application Security Testing of the SAML protocol guidelines.

The article describes the Application Security Testing of the SAML.
The advice in this article is based on the following:

Constantly update the tools.

Upgrade Burp Suite with the following extensions:

Source:
Source:
/saml
/saml2
/saml/login
/saml2/login
/saml/auth
/saml2/auth
/saml/init
/saml2/init
/saml/consume
/saml2/consume
/simplesaml/module.php/core/loginuserpass.php
/simplesaml/saml2/idp
AuthState
SAMLRequest
authenticity_token
SAMLResponse
RelayState

Modify the SAML response.

  • The attackers can forge the ID data in the SAML response at will.
Source: Own study — Testing SAML Unverified Signature.
Source: Own study — Example request with a SAML Response Token viewed in the EsPReSSO extension.
Source: Own study — Testing Unverified Signature, by changing the ID data inside a SAML Response Token.

Implement the .

Modify the SAML response & remove the Signature.

  • The attacker can remove the content of the signature tag or delete the whole signature to bypass the security measure.
Source: Own study — Two methods for testing SAML Signature Stripping.
Source: Own study — Testing Signature Stripping using SAML Raider.
Source: Own study — The example content of the Signature to remove.

Implement the .
Always verify the signature, even if there is no value.

Check if you can guess the signature.

  • The attacker can forge a signature if the signing mechanism is weak or predictable.
  • In the below example, the attacker could forge an assertion and obtain a valid session as an [email protected] user.
Source: Own study — Testing predictable signing mechanism.

Ensure all SAML elements in the chain use .
Consider deprecating support for .

Search the internet to find the secret key for the certificate in use.

  • The attacker can forge messages if he knows the secret.
Source: Own study — Testing for the default key pair.
Source: Own study — Example of a X.509 certificate.
Source: Own study — How to copy the certificate in PEM format to the clipboard.
Source: Own study — Example fingerprinting using openssl.
  • It is handy to use an alias for fingerprinting the x509 certificates:
function fingerprint_x509() {
        openssl x509 -in "$1" -noout -fingerprint
}
Source: Own study — Example of a Google Dorking using the exact fingerprint value.
Source: Own study — Example searching for the certificate in the cloned code repository.
Source: Own study — How to get the first 64 chars of the certificate using Python Interpreter.
Source: Own study — Example of a default private key in the code repository.
Source: Own study — Re-signing the forged SAML with an imported private key.
Source: Own study — Importing private key to the SAML Raider Certificates.
Source: Own study — Solution for the not showing imported certificate.

Do not use the default key pair in the production environment.
Always generate new key pair and store the secret in a secure way.
Do not disclose the secret publicly.

Inject a self-signed certificate and sign the assertion using it.

  • The attacker can forge messages using self-signed certificates.
Source: Own study — Testing flow for the certificate replacement attack.
Source: Own study — Resigning the Assertion using a self-signed certificate.

Service Provider should verify that a trusted Identity Provider signed the SAML.

Test for all eight XSW attacks using SAML Raider.

  • The attacker can inject arbitrary content.
Source: Own study —Testing the XML Signature Wrappings attacks.
Source: Own study — Testing XSW1 attack using SAML Raider extension.
Source: Own study — Mindmap, briefly explains all eight XML Signature Wrapping attacks.

Validate the signature according to the .

Swap the ServiceURL during login from SP1 to SP2.

  • The attacker can get access to the forbidden service provider.
  • For example, there are two applications (admin panel and sales).
  • The attacker has access only to the sales page using normal SAML flow.
  • Using the TRC technique, the attacker can change the ServiceURL to an admin panel during login to the sales application.
Source: Own study — Testing the TCR.
Source: Own study — The example login flow with the changed ServiceURL within the SAMLRequest parameter.
Source: Own study — The decoded value of a SAMLRequest parameter with changed ServiceURL value.

Service Provider should always validate the recipient value.

Register the account with the comment and use the SSO.

  • The attacker can hijack other users' accounts.
Source: Own study — Testing for comment injection vulnerability.

The detailed testing of the registration process was described in:

Register a similar account and use a comment to strip the part of it.

  • The attacker can hijack other users’ accounts.
Source: Own study — Testing for comment injection vulnerability.

Use the .

Test for the XXE injection.

  • Depending on the flaw found, the attacker could exploit Directory Listening, file reading, Server Side request forgery, or Denial of a Service attack.
Source: Own study — Testing for the XXE vulnerabilities.
<?xml version="1.0" encoding="UTF-8"?
Source: Own study — Using the SAML tab to generate the XML code for testing the XXE.

Ensure that all SAML providers/consumers do proper .
Disable DTD processing.

Test for the XSLT injection.

  • Depending on the flaw found, the attacker could exploit Directory Listening, file reading, Server Side request forgery, or Denial of a Service attack.
Source: Own study — Testing for the XSLT vulnerability.
Source: Own study — Using the SAML tab to generate the XML code for testing the XXE.

Ensure that all SAML providers/consumers do proper .

Check if data is transferred via HTTP or as a parameter in the URL.

  • Sensitive data may be logged by the browser, the web server, and forward or reverse proxy servers between the two endpoints.
  • It could also be displayed on-screen, bookmarked, or emailed around by users.
  • When any off-site links are followed, they may be disclosed to third parties via the Referer header.
Source: Own study — Example of the sensitive data transmitted in the path using HTTP.

Use a secure Hypertext Transfer Protocol (HTTPS).
Use an alternative mechanism for transmitting session tokens, such as HTTP cookies or .

Register twice using SSO and with an email&password.

  • The attacker could hijack an account that the user created with OAuth.
  • The attacker could set a trap by registering an account using the victim’s email and waiting for the victim to log in using the OAuth method.
Source: Own study — Testing .

Email validation should be implemented.

Check if the validation time is bigger than 5 minutes.

  • The attacker could reuse the SAML Response Token.
Source: Own study — Testing Overlong Expiration Time on the SAML Response Token.

The SAML Response Token should be rejected after 5 minutes.

Check if you can use the same SAML Response Token twice.

  • The attacker could reuse the SAML Response Token.
Source: Own study — Testing Reusable SAML Response Token.

Each of the SAML Response Token should be single use only.

Exchange one SAML Response Token for many session tokens.

  • The malicious application could persistently maintain access to users despite deauthorizing the application.
  • Creating Fake Followers, likes, and subscribers.
  • Money loses in the case of single-use code coupons.
Source: Own study — Testing the race condition in SAML flow.

Only one SID should be gained in exchange for a single SAML Response Token .

Conduct the input validation testing in all SAML fields.

  • The impact depends on the type of vulnerability detected.
 - comprehensive wordlist for fuzzing.

Some payloads send the ICMP packets or TCP packets on port 80 when the payloads are triggered (if the potential vulnerabilities were found).

You need to start two listeners on your VPS to make them work:

Source: Own study — Starting the ICMP sniffer.
Source: Own study — Starting the HTTP server on port 80.

Check the from OWASP.

The SAML protocol is not easy to implement, so ensure you do it properly.
I am sure that my article and the below references will help you do so:


Originally published at: https://karol-mazurek95.medium.com/appsec-tales-ix-oauth-5be70368ff9e

January 5, 2023
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013