$30 off During Our Annual Pro Sale. View Details »

How to break SAML if I have paws?

GreenDog
September 21, 2023
Education
0
950

How to break SAML if I have paws?

Overview of "how to hack SAML" from a security conference - KazHackStan https://kazhackstan.com/en/

In this talk, we will figure out how to break Single Sign On(SSO) based on SAML. Let's look at the components of SAML and the associated attack vectors, current vulnerabilities and methods of their exploitation. Everything a pentester needs to pohakat SAML without soiling the fur.

GreenDog

September 21, 2023
Tweet

More Decks by GreenDog

See All by GreenDog
Weird proxies/2 and a bit of magic
greendog
2
8.3k
Reverse proxies & Inconsistency
greendog
2
4k
MITM Attacks on HTTPS: Another Perspective
greendog
1
670
Deserialization vulnerabilities
greendog
1
720

Other Decks in Education

See All in Education
PowerPoint Kills?
oripsolob
0
540
データ分析の授業における Google Cloud の活用事例 #GoogleCloud #GoogleCloudNext / 20231116
kazaneya
PRO
2
330
自己紹介 / who-am-i
yasulab
2
2.8k
Adobe Express
matleenalaakso
1
6.8k
Consagração 23 #4 - Graus, efeitos e práticas da Verdadeira Devoção
cm_manaus
0
120
教員の方が ChatGPT について最低限知っておきたいこと -2023年11月版-
dahatake
22
19k
情報処理応用B第03回/InfoAdv03
kfujita
0
320
豊富な産学連携・地域連携と連動させた「考動力」人材育成プロジェクト主催・関西大学キャリアセンター共催 「第2弾 社会人に聞く! 多様な博士のキャリア」/ 2023-10-28_my-advice-to-phd-students
tam07pb915
0
510
Padlet opetuksessa
matleenalaakso
3
7.4k
Consagração 23 #3 - Falsas devoções e as características e extensão da Verdadeira Devoção
cm_manaus
0
130
情報処理応用B第04回/InfoAdv04
kfujita
0
270
日本の教育DX動向 GIGAスクール構想とその後
kotatsurin
0
120

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
How to name files
jennybc
59
87k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
RailsConf 2023
tenderlove
0
350
Rails Girls Zürich Keynote
gr2m
90
12k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Testing 201, or: Great Expectations
jmmastey
26
6.1k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
GraphQLとの向き合い方2022年版
quramy
26
12k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
Three Pipe Problems
jasonvnalue
89
9.3k
Faster Mobile Websites
deanohume
296
29k

Transcript

  1. Суповой набор №5а.
    Как ломать SAML, если у меня лапки?
    How to hack SAML if I have paws?
    Aleksei “GreenDog” Tiurin

    View Slide

  2. WHOAMI?
    - Security researcher
    - Invicti Security (Acunetix)
    - Зеленые лапки
    расслабленности
    t.me/greenrelaxpaws
    agrrrdog.blogspot.com
    github.com/GrrrDog/
    Aleksei Tiurin
    GreenDog

    View Slide

  3. SAML - Security Assertion Markup Language
    ● SSO
    ● Authentication and authorization
    ● Everywhere

    View Slide

  4. SAML - Security Assertion Markup Language
    ● Very old standards (~2002-2005)
    ○ SAML 1.0 / 2.0
    ● Based on
    ○ HTTP
    ○ XML
    ○ XML Schema
    ○ XML Digital Signature (XML DSig)
    ○ XML Encryption
    ● Complicated standards
    ○ Protocols/Bindings/Profiles
    ○ Full specs - hundreds of pages

    View Slide

  5. “10 Years later”
    ● Old technologies -> old libs
    ○ xmlsec (java / c)
    ● Complex configurations
    ● Many Implementations
    https://en.wikipedia.org/wiki/SAML-based_products_and_services
    ● ZeroNights 2012
    ● (almost) All the same attacks ^_^

    View Slide

  6. Identity Provider (IdP)
    - where user creds are stored
    - Okta, OneLogin, PingIdentity, MS AAD, etc
    - OpenAM, Keycloak, Oracle OAM, Shibboleth, etc
    Service Provider (SP)
    - an application that a user wants to access
    - … Jira, WordPress, AWS ...

    View Slide

  7. - One IdP - many SPs
    - Corporate SSO
    - One SP - many IdPs
    - SaaS that needs to support
    multiple organizations

    View Slide

  8. Flows
    - SP initiated
    - IdP initiated (from 4) SAML Request
    SAML Response

    View Slide

  9. SAMLRequest
    - From SP toIdP
    - Redirect Binding (GET) / POST Binding (HTML Form)
    - Base64

    View Slide

  10. SAMLResponse
    - From IdP to SP
    - POST Binding
    HTML form
    - Base64 + Deflate

    View Slide

  11. SAMLResponse
    - Signed Response
    - Signed Assertion
    - Both

    View Slide

  12. How does the signature work?

    View Slide

  13. Situations:
    - Anonymous attacks
    - A user in IdP
    - Malicious SP
    - Malicious IdP
    Core tool
    - SAML Raider extension in Burp

    View Slide

  14. Anonymous attacks
    1. SAMLRequest - Detect that SAML is used
    2. From SAMLRequest
    - Issuer (IdP)
    - AssertionConsumerServiceURL (ACS)
    - where SP expects SAMLResponse
    - SP’s SAML lib name
    - id generator - format, name, etc
    - Destination (IdP)

    View Slide

  15. SAML Metadata
    - Configuration exchange for SP and IdP
    - Names, endpoints, certificates…
    - Signature, encryption, additional attributes…
    SP doesn’t expose it (usually)
    IdP:
    - know endpoints
    - oamfed/idp/metadata
    - from Destination
    - okta.com/app/appname/RND/sso/saml->
    - okta.com/app/RND/sso/saml/metadata
    Now, we have almost everything to create
    a good SAMLResponse from nothing

    View Slide

  16. Creating SAML Response
    - POST to ACS url
    - Known SAML schemas
    - Info from SAMLRequest
    - Destination - ACS url
    - InResponseTo - ID
    - Issue Timestamp
    - Issuer - From metadata
    - Both Response and Assertion
    - Subject / NameID - email?
    - Conditions
    - NotBefore + NotOnOrAfter
    - AudienceRestriction - ?
    - AuthnStatement - ?
    http://www.datypic.com/sc/saml2/e-samlp_Response.html
    http://www.datypic.com/sc/saml2/e-saml_Assertion.html

    View Slide

  17. 1. XML -> XXE (+XSD/NS injection?)
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35741
    2. XSS
    - Often show errors for debug
    - Before Sign check
    - Issuer, Destination, StatusCode, etc
    - using the created SAML Response
    - XSS payload -> every “field”
    - encode/CDATA
    Destination="><img/src/onerror=alert(1)>"
    SAML Response

    View Slide

  18. Authentication bypass
    - Disabled sign check - common misconfig
    - No tag - no Sign check
    https://hackerone.com/reports/136169
    - Complicated specifications -
    - nobody uses advanced features
    - Documentation (SP/IdP)?
    - NameID - email
    - Find a registered email?
    - Auto provisioning
    - Create SAML Response(s)
    - Try them
    - Error messages
    https://mishresec.wordpress.com/2017/10/13/uber-bug-bounty-gaining-access-to-an-inter
    nal-chat-system/

    View Slide

  19. KeyInfo
    - Info about the key
    - ds:Signature
    - Self-Signed certificate
    SAML Response

    View Slide

  20. Certificate faking for Authentication bypass
    - Take Certificate from Metadata
    - Import in SAML Raider
    - Sign the created SAML Response(s)
    - Incorrect certificate match
    - Trust KeyInfo certificate
    https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/#certificate-faking
    SAML Response

    View Slide

  21. Dupe Key Confusion (.NET)
    - Alvaro Muñoz, Oleksandr Mirosh at BlackHat 2019
    https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace.pdf
    - Better with a valid SAML Response
    SAML Response

    View Slide

  22. Certificate validation to SSRF
    - Trust KeyInfo certificate
    - Certificate validation
    - SSRF in X509 cert
    - Michael Stepankin at BlackHat 2023
    https://github.com/onhexgroup/Conferences/blob/main/Black%20Hat%20USA%202023%20slides/Michael
    %20Stepankin_mTLS%20When%20Certificate%20Authentication%20is%20Done%20Wrong.pdf
    - Java
    - AIA, SIA, CRL DP
    - Created SAML Response
    - Add KeyInfo with SSRF cert
    - Windows? .NET?

    View Slide

  23. Reference dereferencing
    - Data location
    - URI
    - remote files (http, https, etc)
    - local files
    - (Blind) SSRF
    - Everywhere!
    - XML DSig
    - XML Enc
    - Metadata
    - …
    SAML Response

    View Slide

  24. Reference dereferencing (XML DSig)
    - Reference
    https://github.com/IdentityPython/pysaml2/issues/510
    - KeyInfo
    - Java xmlsec. SecureValidation bypass (CVE-2021-40690)
    https://blog.tint0.com/2021/09/pinging-xmlsec.html
    SAML Response

    View Slide

  25. Reference dereferencing (XML Enc)
    - CipherReference
    - DataReference
    - + EncryptedKey -> KeyInfo

    View Slide

  26. Transformations
    - XML “normalization”
    - Additional “preparations”
    - Base64
    - XPath
    - XPath-Filter
    - XSLT (optional)
    - …

    View Slide

  27. Base64 http://www.w3.org/2000/09/xmldsig#base64
    - .NET XXE CVE-2022-34716
    - Decode Reference + Parse XML
    - XXE inside
    https://bugs.chromium.org/p/project-zero/issues/detail?id=2313

    View Slide

  28. XPath http://www.w3.org/TR/1999/REC-xpath-19991116
    - Blind SSRF
    - Mix with Reference (xml files)
    - Error
    - Modified version of a payload for PingIdentity from https://blog.tint0.com/2021/09/pinging-xmlsec.html

    View Slide

  29. XSLT http://www.w3.org/TR/1999/REC-xslt-19991116
    - Java / Santuario (xmlsec) <= 1.4.1 (~ 2010)
    - via Xalan
    - RCE ManageEngine ServiceDesk CVE-2022-47966

    View Slide

  30. xmlsec >= 1.4.2
    - Secure-processing - true
    - Xalan CVE-2014-0107 < 2.7.2
    - Arbitrary class instantiation
    https://blog.viettelcybersecurity.com/saml-show-stopper/

    View Slide

  31. XSLT
    https://blog.viettelcybersecurity.com/saml-show-stopper/

    View Slide

  32. How can we test dereference/transformations?
    - Acunetix
    - No manual tools
    - SAML Raider
    - no Algorithm
    - unparsed-text - XSLT 2.0
    - it won’t detect CVE-2022-47966 (java xmlsec)

    View Slide

  33. Attacks on IdP
    - Signed SAMLRequest (AuthnRequest)
    - SP->IdP
    - Redirect-POST -> POST-POST bindings
    - SAML protocol: LogoutRequest, etc
    - Metadata import (Malicious SP/IdP)
    - Same attack vectors

    View Slide

  34. With creds / Malicious SP/IdP
    - Transformation after Sign check
    - Post-auth
    - “Malicious” SP/IdP
    - Generate a valid signature for arbitrary transformations
    - How?
    SAML Response

    View Slide

  35. More attacks on IdP (w/ creds)
    ACSSpoofing Attack
    - Change SAMLRequest ACS url to an attacker’ server
    - Old https://web-in-security.blogspot.com/2015/04/on-security-of-saml-based-identity.html
    - is it string or url comparison?
    XML injection
    - SAMLRequest is not signed
    - Values from SAMLRequest reflected in SAMLResponse
    - copy as string
    - add new tags/attributes
    - correctly signed
    https://research.nccgroup.com/2021/03/29/saml-xml-injection/

    View Slide

  36. Attacks on SP (w/ creds)
    - Sign check, Cert-related, etc
    - XSW (w/ SAML Raider)
    - XML parsing
    - Comment injection
    https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
    - ~ 2017
    - [email protected]
    - [email protected] vs [email protected]
    - anything ?> - processing instructions inside XML
    - Much more
    - Logic vulnerabilities
    - “how to put things together”
    - very common

    View Slide

  37. Session handling
    RelayState
    - State Preservation
    - URL
    - “Open Redirect”
    https://hackerone.com/reports/1923672
    https://www.anitian.com/owning-saml/

    View Slide

  38. Multitenant (1 SP - many IdPs)
    Don’t trust IdP
    - Auth based on SAML Response
    - Manipulate NameId, Issuer, ACS
    - Email from another tenant -> access
    IdP confusion https://hackerone.com/reports/976603
    - IdP victim - “IdP1”
    - IdP attacker - “IdP1 ” (with a space at the end)
    - Sign check w/ victim’s IdP, log in to the attacker’s account

    View Slide

  39. Recommendations
    - Don’t implement SAML “lib” yourself
    - Use 3rd party libs
    - Update libs systematically
    - Show a generic error
    - Disable unnecessary features
    - KeyInfo? XML Enc?
    - Be careful w/ metadata
    - Always pentest your SAML implementation in SP
    - Pentest your IdP if it’s not SaaS
    - Write me if you have any questions

    View Slide

  40. Big thanks to the researchers of
    mentioned articles/white papers/tools

    View Slide

  41. New cheat sheet about SAML?
    https://github.com/GrrrDog/
    Зеленые лапки расслабленности
    https://t.me/greenrelaxpaws

    View Slide

  42. View Slide