Other attack scenarios
3. Comment Injection in SAMLReponse
Most SAML libraries will parse the saml:NameID element out of the XML tree, extracting the last text element inside of it
and will use that value to identify the user logging in. But… What happens if you break the saml:NameID element up such
that it contains an XML comment?
[email protected]
In this scenario, the XML tree, when parsed, will look like so:
NameID
|_ Text: adm
|_ Comment: this is a comment
|_ Text:
[email protected]
And depending on the XML parsing logic used in the SAML library, you can probably see where this is headed: depending on where you insert a
comment you can dramatically impact that identity of the user that’s being logged in!
More info at: https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability