Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Security Assertion Markup Language (SAML) is an authentication standard built on XML. This article dives into some of the issues around SAML and XML parsers that lead to major security issues.

The Service Provider-Initiated SAML flow is the most common way that users authenticate through SAML. When a user tries to access a protected resource, a redirect to the Identity provider is made for verification. The IdP receives the request, verifies its validity and issues a SAML response with a digitally assertion. The response is sent back via the user's browser to the service provider. The service provider then verifies the digital signature and extracts the user information required for authorization checks.

XML Signature Wrapping Attacks (XSW) occur when the signature validation and assertion process are handled by different modules or even different XML parsers. This is a classic difference between the verification and use steps. In a previous blog post on Gitlab, another Portswigger researcher showed how it was possible to bypass authentication using differences between parsers. This is discussed as a way to start looking for other issues in the same Ruby SAML parser.

The new issue is around Canonicalization. In SAML, the XML needs to be put into a canonical state in order to be signed. According to the specification, relative URIs cannot be used. When a parser comes across this limitation it will return an error instead of an empty string. Since most parsers continue on this means that the data being signed over is effectively null! If you had a signature for null, then you'd be able to abuse this issue as a golden ticket.

How do we get the signature? Sometimes, the error message are signed. By causing an error prior to being signed, an empty string may be signed. SAML metadata can be another route for this as well.

Overall, a good post on XML processing for SAML. I personally found the article a little hard to follow with what was novel/new and what was prior knowledge. The void-canonical issue was super interesting!