Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SSO and SAML Pentesting

24b7a36b077a5bccb5f9c85f4aa28e6a?s=47 int3
December 19, 2020

SSO and SAML Pentesting

Talk presented by @0xint3 and @ipanda915 at Red Team Security Summit 2020 on SSO and SAML Pentesting

24b7a36b077a5bccb5f9c85f4aa28e6a?s=128

int3

December 19, 2020
Tweet

Transcript

  1. SSO and SAML Pentesting Breaking ‘secure’ authentication systems

  2. Who Are We ? Abhinav Sharma aka @0xint3 > Bug

    Hunter > Web and API Pentesting > Docker and Cloud Naveen Ramesh aka @ipanda915 >Bug Hunter >Web Pentesting > ML and Cloud
  3. What is SSO? Single Sign-On is a feature that allows

    users to access multiple services without logging in multiple times. For example, if you are logged into facebook.com, you wouldn’t have to re-enter your credentials to use messenger.com. If you login into www.google.com, then you are automatically logged-in to all services offered by Google such as mail.google.com, www.youtube.com, play.google.com etc which saves time and effort to re-login.
  4. 1. Cookie Sharing 2. SAML (Security Assertion Markup Language) 3.

    OAuth (Open Authorization) Ways of implementing SSO
  5. What is SAML? Security Assertion Markup Language (SAML) is an

    open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). What that jargon means is that you can use one set of credentials to log into many different websites.
  6. SAML (Security Assertion Markup Language)

  7. 1. The User-Agent (browser) tries to access the resource 2.

    The Service Provider (SP) sends a redirect to the Identity Provider (IDP) 3. The User-Agent follows the redirect an access the IDP. The request contains a SAMLRequest parameter. 4. The IDP sends back a response with a SAMLResponse. 5. The SAMLResponse is submitted by the User-Agent to the SP. 6. The user is now logged in for the Service Provider and can access the resource. How SAML Authentication works?
  8. SAML Response example

  9. What does a typical SAML Login look like? Example: https://jira.gtie.dell.com/

  10. Scenario - 1 : Simple Account Takeover by manipulating SAMLResponse

    The SAMLResponse that is sent by the IdP to the User-agent or the browser is sent by the browser to the SP (Service Provider). That request could be intercepted and an attacker can change the <NAMEID...> in order to change the user, say from testuser@gmail.com to admin@website.com giving him admin access to the website.
  11. SAMLResponse editing with SAML Raider BurpSuite Extension

  12. Scenario - 2 : Account Takeover by SAML Signature Stripping

    If the XML signature logic incorrectly handles signature validation, an attacker can just exclude a signature to create a XML document that passes signature validation. If we remove the contents of SignatureValue and send an empty value, the server sometimes doesn’t verify it and that could be used to bypass the validation.
  13. While pen-testing an application, came across jira.target.com

  14. Scenario - 2

  15. NEPTUNE SATURN

  16. Other attack scenarios 1. XXE via SAML

  17. Other attack scenarios 2. SSRF via SAML Application https://medium.com/@th3g3nt3l/how-i-found-an-ssrf-in-yahoo-guestho use-recon-wins-8722672e41d4

  18. Other attack scenarios 3. Comment Injection in SAMLReponse Most SAML

    libraries will parse the saml:NameID element out of the XML tree, extracting the last text element inside of it and will use that value to identify the user logging in. But… What happens if you break the saml:NameID element up such that it contains an XML comment? <saml:NameID>adm<!-- this is a comment -->in@sp-website.com</saml:NameID> In this scenario, the XML tree, when parsed, will look like so: NameID |_ Text: adm |_ Comment: this is a comment |_ Text: in@sp-website.com And depending on the XML parsing logic used in the SAML library, you can probably see where this is headed: depending on where you insert a comment you can dramatically impact that identity of the user that’s being logged in! More info at: https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability
  19. PREVENTIONS 1 3 2 4 The SAML Assertion should be

    encrypted if this feature is supported by the SP. The AuthnRequest can be signed to help ensure the request is being sent by a trusted SP Use only SHA-2 certificates when designing new SAML workflows TLS v1.2 is the preferred protocol to use when establishing a connection to the SP – it is the only version providing modern authenticated encryption
  20. Thank You!