Testing SAML Endpoints For XML Signature Wrapping Vulnerabilities

A lot can go wrong when validating SAML messages. When auditing SAML endpoints, it's important to look out for vulnerabilities in the signature validation logic. XML Signature Wrapping (XSW) against SAML is an attack where manipulated SAML message is submitted in an attempt to make the endpoint validate the signed parts of the message -- which were correctly validated -- while processing a different attacker-generated part of the message as a way to extract the authentication statements. Because the attacker can arbitrarily forge SAML assertions which are accepted as valid by the vulnerable endpoint, the impact can be severe. [1,2,3]

Testing for XSW vulnerabilities in SAML endpoints can be a tedious process, as the auditor needs to not only know the details of the various XSW techniques, but also must handle a multitude of repetitive copy-and-paste tasks and apply the appropriate encoding onto each message. The latest revision of the XSW-Attacker module in our BurpSuite extension EsPReSSo helps to make this testing process easier, and even comes with a semi-automated mode. Read on to learn more about the new release! 

 SAML XSW-Attacker

After a signed SAML message has been intercepted using the Burp Proxy and shown in EsPReSSO, you can open the XSW-Attacker by navigating to the SAML tab and then the Attacker tab.  Select Signature Wrapping from the drop down menu, as shown in the screenshot below:

To simplify its use, the XSW-Attacker performs the attack in a two step process of initialization and execution, as reflected by its two tabs Init Attack and Execute Attack. The interface of the XSW-Attacker is depicted below.

XSW-Attacker overview

The Init Attack tab displays the current SAML message. To execute a signature wrapping attack, a payload needs to be configured in a way that values of the originally signed message are replaced with values of the attacker's choice. To do this, enter the value of a text-node you wish to replace in the Current value text-field. Insert the replacement value in the text-field labeled New value and click the Add button. Multiple values can be provided; however, all of which must be child nodes of the signed element. Valid substitution pairs and the corresponding XPath selectors are displayed in the Modifications Table. To delete an entry from the table, select the entry and press `Del`, or use the right-click menu.

Next, click the Generate vectors button - this will prepare the payloads accordingly and brings the Execute Attack tab to the front of the screen.

At the top of the Execute Attack tab, select one of the pre-generated payloads. The structure of the selected vector is explained in a shorthand syntax in the text area below the selector.
The text-area labeled Attack vector is editable and can be used to manually fine-tune the chosen payload if necessary. The button Pretty print opens up a syntax-highlighted overview of the current vector.
To submit the manipulated SAML response, use Burp's Forward button (or Go, while in the Repeater).

Automating XSW-Attacker with Burp Intruder

Burp's Intruder tool allows the sending of automated requests with varying payloads to a test target and analyzes the responses. EsPReSSO now includes a Payload Generator called XSW Payloads to facilitate when testing the XML processing endpoints for XSW vulnerabilities. The following paragraphs explain how to use the automated XSW attacker with a SAML response.

First, open an intercepted request in Burp's Intruder (e.g., by pressing `Ctrl+i`). For the attack type, select Sniper. Open the Intruder's Positions tab, clear all payload positions but the value of the XML message (the `SAMLResponse` parameter, in our example). Note: the XSW-Attacker can only handle XML messages that contain exactly one XML Signature.
Next, switch to the Payloads tab and for the Payload Type, select Extension-generated. From the newly added Select generator drop-down menu, choose XSW Payloads, as depicted in the screenshot below.

While still in the Payloads tab, disable the URL-encoding checkbox in the Payload Encoding section, since Burp Intruder deals with the encoding automatically and should suffice for most cases.
Click the Start Attack button and a new window will pop up. This window is shown below and is similar to the XSW Attacker's Init Attack tab.

Configure the payload as explained in the section above. In addition, a schema analyzer can be selected and checkboxes at the bottom of the window allow the tester to choose a specific encoding. However, for most cases the detected presets should be correct.

Click the Start Attack button and the Intruder will start sending each of the pre-generated vectors to the configured endpoint. Note that this may result in a huge number of outgoing requests. To make it easier to recognize the successful Signature Wrapping attacks, it is recommended to use the Intruder's Grep-Match functionality. As an example, consider adding the replacement values from the Modifications Table as a Grep-Match rule in the Intruder's Options tab. By doing so, a successful attack vector will be marked with a checkmark in the results table, if the response includes any of the configure grep rules.

Credits

EsPReSSO's XSW Attacker is based on the WS-Attacker [4] library by Christian Mainka and the original adoption for EsPReSSO has been implemented by Tim Günther.
Our students Nurullah Erinola, Nils Engelberts and David Herring did a great job improving the execution of XSW and implementing a much better UI.

---

[1] On Breaking SAML - Be Whoever You Want to Be
[2] Your Software at My Service
[3] Se­cu­ri­ty Ana­ly­sis of XAdES Va­li­da­ti­on in the CEF Di­gi­tal Si­gna­tu­re Ser­vices (DSS)
[4] WS-Attacker

Related posts

1. How To Hack
2. Pentest Tools Framework
3. Pentest Tools Bluekeep
4. Hacking Tools Online
5. Hacks And Tools
6. Best Hacking Tools 2019
7. Pentest Tools For Android
8. Hacker Tools 2020
9. Hacker Tools For Pc
10. Hacking Tools For Windows Free Download
11. Best Pentesting Tools 2018
12. Hacking Tools For Windows 7
13. Underground Hacker Sites
14. Pentest Tools Review
15. Hacking Tools For Mac
16. Hacking Tools Name
17. Hacker Tools Software
18. Hack Tools For Ubuntu
19. Hacker
20. Github Hacking Tools
21. Pentest Tools
22. Hacker Tools Free Download
23. Hacking Tools For Beginners
24. Hacker Tools Mac
25. Hacking Tools For Windows 7
26. Hack Tools For Games
27. Free Pentest Tools For Windows
28. Hacking Tools For Kali Linux
29. Hackers Toolbox
30. Hack Tools Pc
31. Kik Hack Tools
32. Hacking Tools Pc
33. Nsa Hacker Tools
34. Hacking Tools Online
35. Termux Hacking Tools 2019
36. Hack Tools For Pc
37. Pentest Tools Website
38. Hacking Tools Mac
39. Nsa Hack Tools
40. Hack Tools For Pc
41. Hacker Search Tools
42. Hacker Tools For Windows
43. Hack Website Online Tool
44. Hacking Tools Free Download
45. Growth Hacker Tools
46. Hack Tools Mac
47. Hacker Tools For Mac
48. Pentest Tools Review
49. Hacking Tools Download
50. Best Hacking Tools 2019
51. Growth Hacker Tools
52. Hacking Tools For Mac
53. Bluetooth Hacking Tools Kali
54. Pentest Tools Url Fuzzer
55. Pentest Tools Framework
56. Hack Tools For Mac
57. Hacking Tools 2020
58. Hacking Tools Download
59. What Are Hacking Tools
60. Hacking Tools Software
61. What Are Hacking Tools
62. Black Hat Hacker Tools
63. Hacker
64. Hak5 Tools
65. Hack Tools For Mac
66. Hack App
67. Hack Tools Mac
68. Hacker Tools For Ios
69. Hacking Tools For Kali Linux
70. Top Pentest Tools
71. Pentest Tools For Android
72. Hacker Tools For Ios
73. Pentest Tools Framework
74. Hack Tools Download
75. Pentest Tools Find Subdomains
76. Hacker Tools 2020
77. How To Hack
78. Nsa Hack Tools
79. Pentest Tools Review
80. Hacker Tools Free
81. Hacker
82. Nsa Hack Tools
83. Best Pentesting Tools 2018
84. Pentest Tools Tcp Port Scanner
85. Hack Website Online Tool
86. Hack Tools
87. What Is Hacking Tools
88. Nsa Hack Tools
89. Blackhat Hacker Tools
90. Hacking Tools Usb
91. Install Pentest Tools Ubuntu
92. Hacks And Tools
93. Pentest Tools Nmap
94. Hacking Tools Name
95. Pentest Tools Subdomain
96. Hack Tools Pc
97. Hack Tools Github
98. Hack Tools For Ubuntu
99. Hacker Tools Windows
100. Pentest Tools Website
101. Hack Tools Online
102. Hack Tool Apk
103. Pentest Tools Github
104. Hacker Tools Free
105. Hack Tools Download
106. Pentest Tools Alternative
107. Pentest Tools Framework
108. Hacks And Tools
109. Computer Hacker
110. Blackhat Hacker Tools
111. Hacking Tools Mac
112. Hak5 Tools
113. Hacker Tools Software
114. Pentest Tools Download
115. Hacker Tools Free
116. Hack App
117. Tools For Hacker
118. Bluetooth Hacking Tools Kali
119. Nsa Hack Tools Download
120. Pentest Automation Tools
121. Hacking Tools And Software
122. Pentest Tools Bluekeep
123. New Hacker Tools
124. Hacking Tools Free Download
125. Pentest Tools Open Source
126. Pentest Tools Android
127. Nsa Hack Tools Download
128. How To Hack
129. Pentest Tools Kali Linux
130. Pentest Tools Kali Linux
131. Hacking Tools 2020
132. Hack Tools Mac
133. Hack Rom Tools
134. Hacking Tools Name
135. Tools Used For Hacking
136. Tools 4 Hack
137. Hack Tools Online
138. Hacking Tools Online
139. Hack Tools Online
140. Hacker Tools Mac
141. Hackers Toolbox
142. Beginner Hacker Tools
143. Pentest Tools Windows
144. Hacking Tools Windows 10
145. Pentest Tools For Mac
146. Hacker Search Tools
147. Hack Tools Download
148. Tools For Hacker
149. Hack And Tools
150. Best Pentesting Tools 2018
151. Hacking App
152. Hacking Tools For Windows Free Download
153. New Hacker Tools
154. Pentest Tools Website
155. Hacking Tools Kit
156. Top Pentest Tools
157. Computer Hacker
158. Pentest Tools Website
159. Computer Hacker
160. Hacking Tools For Windows 7
161. Hacker Tools Hardware
162. Hack Tools For Mac