How to use Burp Suite to verify SAML Signature Wrapping attack

The Security Assertion Markup Language (SAML) is widely used to deploy

Written by Huỳnh Huy Phong (HHP) from Safewhere team *

The Security Assertion Markup Language (SAML) is widely used to deploy Single Sign-On and federation identity solutions. The usual mechanism for this passes the SAML response certifying the user’s identity through the web browser, using a signature to prevent tampering. However, there ’re some XML signature wrapping (XSW) vulnerabilities in SAML protocol which were described in 2012 (On Breaking SAML: Be Whoever You Want to Be).

In this post, we will use SAML Raider which is an extension of Burp Suite to perform the XML Signature Wrapping (XSW) attacks that provides us the following:

  • XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
image alt text
  • XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
image alt text
  • XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
image alt text
  • XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion.
image alt text
  • XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
image alt text
  • XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
image alt text
  • XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
image alt text
  • XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.
image alt text

At first, we open the Burp Suite,then browse to Extender–> BApp store, choose the extension: SAML Raider and select Install:

image alt text

For the repeated attempts, you may benefit from intercepting a single endpoint for the SAML2.0 response in Burp using interception options like this:

image alt text

Now let’s modify the SAML Assertion, which is received from the Identity Provider (IdP) and is sent from the browser to the Service Provider (SP) at the SAML Raider tab where I choose: XSW3 and select “Apply XSW”

image alt text

The result from the below web application means it is doing XML validation check correctly

image alt text