The Security Assertion Markup Language (SAML) is widely used to deploy
Written by Huỳnh Huy Phong (HHP) from Safewhere team *
The Security Assertion Markup Language (SAML) is widely used to deploy Single Sign-On and federation identity solutions. The usual mechanism for this passes the SAML response certifying the user’s identity through the web browser, using a signature to prevent tampering. However, there ’re some XML signature wrapping (XSW) vulnerabilities in SAML protocol which were described in 2012 (On Breaking SAML: Be Whoever You Want to Be).
In this post, we will use SAML Raider which is an extension of Burp Suite to perform the XML Signature Wrapping (XSW) attacks that provides us the following:
- XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
- XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
- XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion.
- XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
- XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
- XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
- XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.
At first, we open the Burp Suite,then browse to Extender–> BApp store, choose the extension: SAML Raider and select Install:
For the repeated attempts, you may benefit from intercepting a single endpoint for the SAML2.0 response in Burp using interception options like this:
Now let’s modify the SAML Assertion, which is received from the Identity Provider (IdP) and is sent from the browser to the Service Provider (SP) at the SAML Raider tab where I choose: XSW3 and select “Apply XSW”
The result from the below web application means it is doing XML validation check correctly