# SAML Injection > Security Assertion Markup Language (SAML) is an open standard that allows security credentials to be shared by multiple computers across a network. When using SAML-based Single Sign-On (SSO), three distinct parties are involved. There is a user (the so-called principal), an IDentity Provider (IDP), and a cloud application Service Provider (SP). - centrify ## Summary * [Tools](#tools) * [Authentication Bypass](#authentication-bypass) * [Invalid Signature](#invalid-signature) * [Signature Stripping](#signature-stripping) * [XML Signature Wrapping Attacks](#xml-signature-wrapping-attacks) * [XML Comment Handling](#xml-comment-handling) * [XML External Entity](#xml-external-entity) ## Tools - [SAML Raider - Burp Extension](https://github.com/SAMLRaider/SAMLRaider) ## Authentication Bypass A SAML Response should contain the ` [...]accepting unsigned SAML assertions is accepting a username without checking the password - @ilektrojohn The goal is to forge a well formed SAML Assertion without signing it. For some default configurations if the signature section is omitted from a SAML response, then no signature verification is performed. Example of SAML assertion where `NameID=admin` without signature. ```xml REDACTED REDACTED admin WLS_SP urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport ``` ### XML Signature Wrapping Attacks XML Signature Wrapping (XSW) attack, some implementations check for a valid signature and match it to a valid assertion, but do not check for multiple assertions, multiple signatures, or behave differently depending on the order of assertions. - XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature. - XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature. - XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion. - XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion. - XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message. - XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature. - XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion. - XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed. In the following example, these terms are used. - FA: Forged Assertion - LA: Legitimate Assertion - LAS: Signature of the Legitimate Assertion ```xml Attacker Legitimate User ``` In the Github Enterprise vulnerability, this request would verify and create a sessions for `Attacker` instead of `Legitimate User`, even if `FA` is not signed. ### XML Comment Handling A threat actor who already has authenticated access into a SSO system can authenticate as another user without that individual’s SSO password. This [vulnerability](https://www.bleepstatic.com/images/news/u/986406/attacks/Vulnerabilities/SAML-flaw.png) has multiple CVE in the following libraries and products. - OneLogin - python-saml - CVE-2017-11427 - OneLogin - ruby-saml - CVE-2017-11428 - Clever - saml2-js - CVE-2017-11429 - OmniAuth-SAML - CVE-2017-11430 - Shibboleth - CVE-2018-0489 - Duo Network Gateway - CVE-2018-7340 Researchers have noticed that if an attacker inserts a comment inside the username field in such a way that it breaks the username, the attacker might gain access to a legitimate user's account. ```xml https://idp.com/ user@user.com.evil.com ``` Where `user@user.com` is the first part of the username, and `.evil.com` is the second. ### XML External Entity An alternative exploitation would use `XML entities` to bypass the signature verification, since the content will not change, except during XML parsing. In the following example: - `&s;` will resolve to the string `"s"` - `&f1;` will resolve to the string `"f1"` ```xml ]> [...] &s;taf&f1; [...] ``` The SAML response is accepted by the service provider. Due to the vulnerability, the service provider application reports "taf" as the value of the "uid" attribute. ## References - [SAML Burp Extension - ROLAND BISCHOFBERGER - JULY 24, 2015](https://blog.compass-security.com/2015/07/saml-burp-extension/) - [The road to your codebase is paved with forged assertions - @ilektrojohn - March 13, 2017](http://www.economyofmechanism.com/github-saml) - [SAML_Security_Cheat_Sheet.md - OWASP](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SAML_Security_Cheat_Sheet.md) - [On Breaking SAML: Be Whoever You Want to Be - Juraj Somorovsky, Andreas Mayer, Jorg Schwenk, Marco Kampmann, and Meiko Jensen](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91-8-23-12.pdf) - [Making Headlines: SAML - March 19, 2018 - Torsten George](https://blog.centrify.com/saml/) - [Vulnerability Note VU#475445 - 2018-02-27 - Carnegie Mellon University](https://www.kb.cert.org/vuls/id/475445/) - [ORACLE WEBLOGIC - MULTIPLE SAML VULNERABILITIES (CVE-2018-2998/CVE-2018-2933) - Denis Andzakovic - Jul 18, 2018](https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities) - [Truncation of SAML Attributes in Shibboleth 2 - 2018-01-15 - redteam-pentesting.de](https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-013/-truncation-of-saml-attributes-in-shibboleth-2) - [Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them - March 7th, 2017 - Jem Jensen](https://blog.netspi.com/attacking-sso-common-saml-vulnerabilities-ways-find/)