Continuing with our test cases that needs to validate when performing pen testing the SAML……
SAML Signature Validation :
Description: The application does not validate the SAML (Security Assertions Markup Language) signature. When the application uses a weak signature algorithm along with a self signed certificate, an attacker can potentially change the “DigestValue” and the “SignatureValue”. SAML messages should contain a timestamp of when the request was issued, when it expires or both. If the SAML message never expires or if the expiration is not honored, there is a greater risk of a message falling into the hands of an attacker. Check the message for timestamps, such as an IssueInstant or NotOnOrAfter assertion.
Remediation: Validate SAML signature when the response/assertion is delivered to the Service Provider (SP). Signatures which are not signed by a real CA are prone to cloning. Ensure the signature within the SAML message is signed by a real CA. If the certificate is self-signed, you may be able to clone the certificate or create your own self-signed certificate to replace it. It is recommended to keep the expiration window within 1-5 minutes and must not allow the message to be reproduced.
How to check for this bug:
—> SAML Signature is not Validated-Missing Signature
In Burp, install the "SAML Raider" extension.
Capture the SAML request in the Burp and send to Burp Repeater.
In the SAML Raider tab, click on "Remove Signature" button.
Click on "Go" button and observe the response in Burp Repeater. Verify if you encounter any error message regarding the signature.
—> Weak Signature Algorithm
Capture the SAML request in the Burp and send to Burp Repeater.
Observe if the application is using a weak signature algorithm.
—> Weak Signature Algorithm With Self Signed Certificate
Capture the SAML request in the Burp and send to Burp Repeater.
Save and self-sign the certificate, so we have a self-signed copy of the same certificate {Click on “Send Certificate to SAML Raider Certs” which sends the certificate to tab “SAML Raider Certificates store”. }
Now we can re-sign the original request with our new certificate, either by signing the whole message or the assertion.
Send click on "Go" button.
Verify that the response is valid or not.
—> SAML Certificate Validity and Message Replay Attack
Capture the SAML request in the Burp and send to Burp Repeater.
Observe if the expiration window is reasonable, like 1-5 minutes. {Certificate validity }
Pause the request until after the expiration has passed and then allow the request through to the SP. { Message Replay }
Verify that the response is valid or not.
ACCESS CONTROL CHECK (ACCOUNT COMPROMISE)
Description: When the application fails to validate the signature in the SAML message, an attacker can potentially change the assertion with another user details and access the resources designated to another user.
Remediation: Signatures which are not signed by a real CA are prone to cloning. Ensure the signature within the SAML message is signed by a real CA. If the certificate is self-signed, you may be able to clone the certificate or create your own self-signed certificate to replace it.
How to check for this bug :
Log in to the application with “UserA”.
Capture the "SAMLResponse" message and in Burp SAMLRaider menu, click on "Remove Signature" option.
Note that the signature is removed from the "SAMLResponse".
Modify the "Name" attribute in the assertion from “UserA” to “UserB”.
Change the UserId to a different valid user – Bonus points if that user is an admin.
Change the UserId to a different invalid user – Sometimes an application will grant default permissions or higher privileges to an unmapped user.
Observe that the application completes the user login and presents the “UserB” with home page.
SAML - Session Validation and Reauthentication
Description: The user's session should not be signed on indefinitely. The user session should expire when idle. The session timeout value will be set usually in the SAML response or have a setting per account.
Remediation: Don’t let a user be signed on indefinitely: expire idle user sessions. Use the session timeout value from the SAML response or have a setting per account. When a user clicks a link in the app after the session has expired, your app should send a SAML request to the identity provider to see if the user is still authorized to sign in to your app.
How to check for this bug:
- When a user clicks a link in the app after the session has expired, verify if the application should send a SAML request to the identity provider to see if the user is still authorized to sign in to your app.
SAML XML External Entity Attack
Description: This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Remediation: The safest way to prevent XXE is always to disable DTDs (External Entities) completely.
How to check for this bug:
Capture the "SAMLResponse" message and send it to Burp Repeater.
In Burp Repeater, add the below mentioned payload as shown in screenshot before the XML body.
<!DOCTYPE foo [<!ENTITY indrsany SYSTEM "http:// copy the payload from Burp Collaborator Client">]>
Open the "Burp Collaborator Client" under the "Burp" option on the top-left side of the screen.
Make sure the "Include Collaborator server location" check box is selected.
Click "Copy to clipboard" button and paste the copied content in the place holder mentioned in payload and append the Entity defined “indrsany” for the parameter saml issuer “xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” and then click on "GO" button.
Observe in Burp Collaborator Client that a HTTP request are made to the collaborator server indicating the parser processed the injected external entity.
Unsigned Logout Request
Description: When a logout request is sent from one application, then it will be single logout for all the applications. These logout requests are also embedded with signatures and can be exploited if not validated properly.
Remediation: There should be proper validation on the SAML body and the signature has to be mapped accordingly so that the only the intended user will be logged out, thus not denying access to other users.
How to check for this bug:
Check if there a signature present in the logout request.
Check for any user specific data in the SAML request.
Retain the signature and modify the user specific data to any other random user data and then forward the request.
Observe if the service is now denied for the second user.
Now Let's Dive into XML Signature Wrapping (XSW) …………..... Part 4... Coming Soon... 🚀