Securing SAML SSO from XSW attacks
- 2. Security Internal.com Tharindu Edirisinghe Graduate Researcher/ PhD Student Open Source Contributor RaiderJava Encoder @thariyarox
- 3. What is Single Sign On (SSO) ?
- 4. Identity Provider (Office 365) Zoom Example for SSO Email Moodle (LMS) Timetable Service Providers (Replying Party Applications) Authentication Request Authentication Response Use Account
- 5. Identity Provider Zoom SAML in SSO Email Moodle (LMS) Timetable Service Providers (Replying Party Applications) SAML Authentication Request SAML Authentication Response Use Account
- 7. Identity Provider SAML Authentication Attack Client Service Provider (Replying Party Application) SAML Authentication Request SAML Authentication Response Use Account JoanneResponse Assertion JoanneAdmin
- 10. Digital Signatures and Signature Verification Source: https://en.wikipedia.org/wiki/Electronic_signature#/media/File:Digital_Signature_diagram.svg Identity Provider needs to sign the responses Relying Party needs to verify the signature
- 11. Identity Provider Digitally Signed SAML Responses/Assertions Client Service Provider (Replying Party Application) SAML Authentication Request SAML Authentication Response Use Account JoanneResponse Assertion Sign the Response/Assertion Verify the signature of Response/Assertion Assertion Signature Response Signature
- 12. DEMO SAML Authentication Attack Prevention with Digital Signatures
- 13. Structure of XML Signature Source: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf
- 14. XML Signature Wrapping (XSW) Attacks on SAML
- 23. Apache Tomcat Server (Port 8080) WSO2 Identity Server (Port 9443) Web Browser (Uses Proxy Port 9090) BurpSuite (Port 9090) Travelocity.com Sample SAML Client Application SAML Identity Provider SAML Raider XSW DEMO Setup Modified SAML Raider : https://github.com/thariyarox/SAMLRaider/blob/NewAttacks/target/saml-raider-1.2.0-SNAPSHOT-jar-with-dependencies.jar
- 24. XSW DEMO
- 25. Source: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf WSO2 Security Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0104
- 26. Office 365 SAML Client App Salesforce Where it’s fixed? SAML Request SAML Response SAML Request SAML Response Fix for SAML Signature Validation Fix ???
- 27. XSW Prevention ? ● If the SAML client is implemented using a 3rd party library, check if it supports XSW prevention. (Eg: OpenSAML client library) ● If SAML assertion/response parsing is done with your implementation, add extra validations. (Eg: prevent multiple responses/assertions in the XML message) ● Conduct penetration testing for SAML authentication flows. Use standard tools or make your own one ! (https://github.com/thariyarox/SAMLRaider/tree/NewAttacks/target)
- 29. XML Comments Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <A X="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > Both are logically equal
- 30. XML Comments in Signature? Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <A X="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > XML Transformation (Canonicalization) Transformed XML Generate XML Signature
- 31. exc-c14n#WithComments canonicalization Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <A X="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > XML Transformation (Canonicalization) Transformed XML Generate XML Signature <A X="1" Y="2">some text<!-- and a comment --></A> Two inputs will end up with different signatures XML Transformation (Canonicalization) Transformed XML <A X="1" Y="2">some text</A> Generate XML Signature
- 32. exc-c14n canonicalization Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <A X="1" Y="2">some text<!-- and a comment --></A> < A Y="2" X="1" >some text</ A > XML Transformation (Canonicalization) Transformed XML Generate XML Signature < A Y="2" X="1" >some text</ A > Both inputs will end up with the same signature
- 33. XML Parser issues with processing comments (exc-c14n) Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <A>first text<!-- comment -->second text</A> first text <!-- comment --> second text node_A.getText() What gets returned??
- 34. XML Parser issues with processing comments (exc-c14n) Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <Username> phil <!-- comment --> lip </Username> phil <!-- comment --> lip node_A.getText() Returns first part of the text Victim Attacker’s username is phillip
- 35. XML Parser issues with processing comments (exc-c14n) Source: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations <Username> jo <!-- comment --> anne </Username> jo <!-- comment --> anne node_A.getText() Returns last part of the text Victim Attacker’s username is joanne
- 37. XML Comments Attack Prevention ● Use exc-c14n#WithComments canonicalization algorithm. ● If exc-c14n is used, process the text of the XML node separately and remove the comment before extracting the node value. ● Use an XML processing library which is not vulnerable to the string tokenization issue when comments are present. (Eg: DOM parser, SAX parser)
- 38. Summary ● Single Sign On (SSO) ● SAML for SSO ● Digital Signatures ● XSW attacks on SAML ● Penetration testing SAML flows ● XML comments in signatures ● SAML attack prevention