Scribd
Upload
16 views42 pages

Как ломать SAML

Uploaded by

ahgpocshv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views42 pages

Как ломать SAML

Uploaded by

ahgpocshv
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Суповой набор №5а.

Как ломать SAML, если у меня лапки?

How to hack SAML if I have paws?


Aleksei “GreenDog” Tiurin
WHOAMI?
- Security researcher
- Invicti Security (Acunetix)

- Зеленые лапки
расслабленности
t.me/greenrelaxpaws

agrrrdog.blogspot.com
github.com/GrrrDog/

Aleksei Tiurin
GreenDog
SAML - Security Assertion Markup Language

● SSO
● Authentication and authorization
● Everywhere
SAML - Security Assertion Markup Language

● Very old standards (~2002-2005)


○ SAML 1.0 / 2.0
● Based on
○ HTTP
○ XML
○ XML Schema
○ XML Digital Signature (XML DSig)
○ XML Encryption
● Complicated standards
○ Protocols/Bindings/Profiles
○ Full specs - hundreds of pages
“10 Years later”

● Old technologies -> old libs


○ xmlsec (java / c)
● Complex configurations
● Many Implementations
https://en.wikipedia.org/wiki/SAML-based_products_and_services

● ZeroNights 2012
https://2012.zeronights.org/
● (almost) All the same attacks ^_^
Identity Provider (IdP)
- where user creds are stored
- Okta, OneLogin, PingIdentity, MS AAD, etc
- OpenAM, Keycloak, Oracle OAM, Shibboleth, etc

Service Provider (SP)


- an application that a user wants to access
- … Jira, WordPress, AWS, GosUslugi, ...
- One IdP - many SPs
- Corporate SSO

- One SP - many IdPs


- SaaS
Flows
- SP initiated
SAML Request
- IdP initiated (from 4)

SAML Response
SAMLRequest
- From SP to IdP
- Redirect Binding (GET) / POST Binding (HTML Form)
- Base64
SAMLResponse

- From IdP to SP

- POST Binding
HTML form

- Base64 + Deflate
SAMLResponse
- Signed Response
- Signed Assertion
- Both
How does the signature work?
Situations:
- Anonymous attacks
- A user in IdP
- Malicious SP
- Malicious IdP

Core tool
- SAML Raider extension in Burp
Anonymous attacks

1. SAMLRequest - Detect that SAML is used


2. From SAMLRequest
- Issuer (IdP)
- AssertionConsumerServiceURL (ACS)
- where SP expects SAMLResponse
- SP’s SAML lib name
- id generator - format, name, etc
- Destination (IdP)
SAML Metadata
- Configuration exchange for SP and IdP
- Names, endpoints, certificates…
- Signature, encryption, additional attributes…
SP doesn’t expose it (usually)
IdP:
- know endpoints
- oamfed/sp/metadata
- from Destination
- okta.com/app/appname/RND/sso/saml->
- okta.com/app/RND/sso/saml/metadata
Now, we have almost everything to create
a good SAMLResponse from nothing
Creating SAML Response
- POST to ACS url
- Known SAML schemas
- Info from SAMLRequest
- Destination - ACS url
- InResponseTo - ID
- Issue Timestamp
- Issuer - From metadata
- Both Response and Assertion
- Subject / NameID - email?
- Conditions
- NotBefore + NotOnOrAfter http://www.datypic.com/sc/saml2/e-samlp_Response.html

- AudienceRestriction - ? http://www.datypic.com/sc/saml2/e-saml_Assertion.html

- AuthnStatement - ?
1. XML -> XXE (+XSD/NS injection?)
- https://nvd.nist.gov/vuln/detail/CVE-2022-35741

2. XSS
- Often show errors for debug
- Before Sign check
- Issuer, Destination, StatusCode, etc
- using the created SAML Response
- XSS payload -> every “field”
- encode/CDATA
Destination="><img/src/onerror=alert(1)>"

SAML Response
Authentication bypass
- Disabled sign check - common misconfig
- No <Signature/> tag - no Sign check
https://hackerone.com/reports/136169

- Complicated specifications -
- nobody uses advanced features
- Documentation (SP/IdP)?
- NameID - email
- Find a registered email?
- Auto provisioning
- Create SAML Response(s)
- Try them
- Error messages
https://mishresec.wordpress.com/2017/10/13/uber-bug-bounty-gaining-access-to-an-inter
nal-chat-system/
KeyInfo
- Info about the key
- ds:Signature
- Self-Signed certificate

SAML Response
Certificate faking for Authentication bypass

- Take Certificate from Metadata


- Import in SAML Raider
- Sign the created SAML Response(s)

- Incorrect certificate match


- Trust KeyInfo certificate
https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/#certificate-faking

SAML Response
Dupe Key Confusion (.NET)
- Alvaro Muñoz, Oleksandr Mirosh at BlackHat 2019
https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace.pdf
- Better with a valid SAML Response

SAML Response
Certificate validation to SSRF

- Trust KeyInfo certificate


- Certificate validation

- SSRF in X509 cert


- Michael Stepankin at BlackHat 2023
https://github.com/onhexgroup/Conferences/blob/main/Black%20Hat%20USA%202023%20slides/Michael
%20Stepankin_mTLS%20When%20Certificate%20Authentication%20is%20Done%20Wrong.pdf
- Java
- AIA, SIA, CRL DP

- Created SAML Response


- Add KeyInfo with SSRF cert
- Windows? .NET?
Reference dereferencing

- Data location
- URI
- remote files (http, https, etc)
- local files
- (Blind) SSRF

- Everywhere!
- XML DSig
- XML Enc
- Metadata
- … SAML Response
Reference dereferencing (XML DSig)
- Reference
https://github.com/IdentityPython/pysaml2/issues/510

- KeyInfo
- Java xmlsec. SecureValidation bypass (CVE-2021-40690)
https://blog.tint0.com/2021/09/pinging-xmlsec.html

SAML Response
Reference dereferencing (XML Enc)
- CipherReference

- DataReference

- + EncryptedKey -> KeyInfo


Transformations
- XML “normalization”
- Additional “preparations”

- Base64
- XPath
- XPath-Filter
- XSLT (optional)
- …
Base64 http://www.w3.org/2000/09/xmldsig#base64

- .NET XXE CVE-2022-34716


- Decode Reference + Parse XML
- XXE inside
https://bugs.chromium.org/p/project-zero/issues/detail?id=2313
XPath http://www.w3.org/TR/1999/REC-xpath-19991116

- Blind SSRF
- Mix with Reference (xml files)
- Error
- Modified version of a payload for PingIdentity from https://blog.tint0.com/2021/09/pinging-xmlsec.html
XSLT http://www.w3.org/TR/1999/REC-xslt-19991116
- Java / Santuario (xmlsec) <= 1.4.1 (~ 2010)
- via Xalan
- RCE ManageEngine ServiceDesk CVE-2022-47966
xmlsec >= 1.4.2
- Secure-processing - true
- Xalan CVE-2014-0107 < 2.7.2
- Arbitrary class instantiation
https://blog.viettelcybersecurity.com/saml-show-stopper/
XSLT
https://blog.viettelcybersecurity.com/saml-show-stopper/
How can we test dereference/transformations?
- Acunetix
- No manual tools
- SAML Raider
- no Algorithm
- unparsed-text - XSLT 2.0
- it won’t detect CVE-2022-47966 (java xmlsec)
Attacks on IdP
- Signed SAMLRequest (AuthnRequest)
- SP->IdP
- Redirect-POST -> POST-POST bindings

- SAML protocol: LogoutRequest, etc


- Metadata import (Malicious SP/IdP)

- Same attack vectors


With creds / Malicious SP/IdP

- Transformation after Sign check


- Post-auth
- “Malicious” SP/IdP

- Generate a valid signature for arbitrary transformations


- How? SAML Response
More attacks on IdP (w/ creds)
ACSSpoofing Attack
- Change SAMLRequest ACS url to an attacker’ server
- Old https://web-in-security.blogspot.com/2015/04/on-security-of-saml-based-identity.html
- is it string or url comparison?

XML injection
- SAMLRequest is not signed
- Values from SAMLRequest reflected in SAMLResponse
- copy as string
- add new tags/attributes
- correctly signed
https://research.nccgroup.com/2021/03/29/saml-xml-injection/
Attacks on SP (w/ creds)
- Sign check, Cert-related, etc
- XSW (w/ SAML Raider)
- XML parsing
- Comment injection
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
- ~ 2017
- [email protected]<!---->.attacker.pw
- [email protected] vs [email protected]
- <? anything ?> - processing instructions inside XML
- Much more
- Logic vulnerabilities
- “how to put things together”
- very common
Session handling
RelayState
- State Preservation
- URL
- “Open Redirect”
https://hackerone.com/reports/1923672
https://www.anitian.com/owning-saml/
Multitenant (1 SP - many IdPs)
Don’t trust IdP
- Auth based on SAML Response
- Manipulate NameId, Issuer, ACS
- Email from another tenant -> access

IdP confusion https://hackerone.com/reports/976603


- IdP victim - “IdP1”
- IdP attacker - “IdP1 ” (with a space at the end)
- Sign check w/ victim’s IdP, log in to the attacker’s account
Recommendations
- Don’t implement SAML “lib” yourself
- Use 3rd party libs
- Update libs systematically
- Show a generic error

- Disable unnecessary features


- KeyInfo? XML Enc?
- Be careful w/ metadata

- Always pentest your SAML implementation in SP


- Pentest your IdP if it’s not SaaS

- Write me if you have any questions


Big thanks to the researchers of
mentioned articles/white papers/tools
New cheat sheet about SAML?
https://github.com/GrrrDog/

Зеленые лапки расслабленности


https://t.me/greenrelaxpaws

You might also like