On Breaking SAML: Be Whoever You Want to Be OWASP The OWASP Foundation Juraj Somorovsky and Christian Mainka

Transcription

1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky and Christian Mainka Horst-Görtz Institute for IT-Security Ruhr-University Bochum Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation

2 Motivation XML Security W3C Standards: XML Signature and XML Encryption Describe various methods for applying cryptographic algorithms to XML documents <?xml version='1.0'?> <PaymentInfo xmlns=' <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number> </Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> 2

3 Motivation XML Security Usage: Web Services: Method for machine-to-machine communication over networks Used in commerce, finance, government, military, XML Client Web Service 3

4 Motivation XML Security New standards, new attacks Last year: Signature Wrapping attacks on Amazon and Eucalyptus cloud interfaces Attacks on XML Encryption Today: Attacks on SAML-based Single Sign-On systems Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, Meiko Jensen: On Breaking SAML: Be Whoever You Want to Be - In Proceedings of USENIX Security, 2012 WS-Attacker: first automated penetration testing tool for XML Security in Web Services 4

5 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

6 Motivation Single Sign-On Too many identities / passwords Solution: Single Sign-On Website Visit and redirect Service Provider User: Bob Role: guest User: Bob Role: guest User: Bob Role: guest Identity Provider Advantages: one password for users, no password management for Service Providers 6

7 Motivation Single Sign-On OpenID OAuth Security Markup Language (SAML) OASIS Web Services or browser-based Single Sign-On Authentication Statements stored in s 7

8 Motivation Single Sign-On How do we secure the messages? Does SSL / TLS help? Website Visit and redirect Service Provider User: Bob Role: guest User: Bob Role: guest User: Bob Role: guest Identity Provider Messages secured only during transport! 8

9 Motivation Single Sign-On Does SSL / TLS help? Website Visit and redirect Service Provider User: Admin Bob Role: Admin guest User: Admin Bob Role: Admin guest User: Bob Role: guest Identity Provider Need for message level security! 9

10 Motivation Single Sign-On Message level security? Website Visit and redirect Service Provider User: Admin Bob Role: Admin guest User: Admin Bob Role: Admin guest User: Bob Role: guest Identity Provider Realized using XML Signatures Are we secure? 10

11 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

12 SAML <saml: ID="123"> <saml:issuer> <saml:> </saml:> <saml:conditions NotBefore=" T14:42:00Z" NotOnOrAfter=" T14:47:00Z"> <saml:audiencerestriction> <saml:audience> </saml:audiencerestriction> </saml:conditions> </saml:> Issuer SecureIdP NameID Bob Conditions Audience SecureSP 12

13 Securing SAML with XML Signature Two typical usages Id= 123 Signature SignedInfo Reference URI= #123 DigestValue SignatureValue Bob Id= 123 Signature SignedInfo Reference URI= #123 DigestValue SignatureValue Bob 13

14 Securing SAML with XML Signature Naive (typical) processing: 1. Signature validation: Id-based 2. evaluation: /// Signature SignedInfo Reference DigestValue Id= 123 URI= #123 SignatureValue Bob Signatur e SignedI nfo Referen SignatureValue ce DigestVa lue Id= 123 URI= #123 Signature Verification valid Evaluation Bob Bob 14

15 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

16 XML Signature Wrapping Attack on SAML Id= 123 Id= evil Signature SignedInfo Reference URI= #123 Id= 123 Bob 1. Place the original including its element into another element 2. Change the Id of the original element 3. The Reference now points to the original element: signature is valid 4. Insert a new Admin Bob 16

17 XML Signature Wrapping Attack on SAML 17 Signature Verification Evaluation valid Admin Signat ure Signe dinfo Refer ence URI= #123 Id= 123 Bob Id= 123 Bob Id= evil Admin Signature SignedInfo Reference URI= #123 Id= 123 Bob Id= 123 Bob Id= evil Admin

18 XML Signature Wrapping Attack on SAML Threat model Change arbitrary data in the :, Timestamp... Attacker: everybody who can gain a signed Registering by the Identity Provider 2. Message eavesdropping 3. Google Hacking 18

19 XML Signature Wrapping Attack on SAML Service Provider User: Admin Bob Role: Admin guest User: Admin Bob Role: Admin guest Id= 123 Id= evil Signature SignedInfo Reference URI= #123 Id= 123 Bob Bob Admin User: Bob Role: guest Identity Provider 19

20 XML Signature Wrapping Attack on SAML How about them? Framework / Provider Application Apache Axis 2 SOAP WSO2 Web Services Guanxi HTTP Sakai Project ( Higgins 1.x HTTP Identity project IBM Datapower XS40 SOAP Enterprise XML Security Gateway JOSSO HTTP Motorola, NEC, Redhat WIF HTTP Microsoft Sharepoint 2010 OIOSAML HTTP Danish egovernment (e.g. OpenAM HTTP Enterprise-Class Open Source SSO OneLogin HTTP Joomla, Wordpress, SugarCRM, Drupal OpenAthens HTTP UK Federation ( OpenSAML HTTP Shibboleth, SuisseID Salesforce HTTP Cloud Computing and CRM SimpleSAMLphp HTTP Danish e-id Federation ( WSO2 HTTP WSO2 ESB 20

21 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

22 XML Signature Wrapping Attack on SAML Results Guanxi, JOSSO WSO2 Id= 123 Id= evil Signature SignedInfo Reference URI= #123 Id= 123 Bob Admin Bob Bob Signature SignedInfo Reference Admin Bob Id= 123 Id= evil Id= 123 URI= #123 22

23 XML Signature Wrapping Attack on SAML Results Higgins, Apache Axis2, IBM XS 40 OpenAM, Salesforce Id= evil Id= evil Admin Admin Signature SignedInfo Id= 123 Signature SignedInfo Reference URI= #123 Reference URI= #123 Id= 123 Bob Bob 23

24 Attack on OpenSAML Is Signature Wrapping always that easy? OpenSAML implemented a few countermeasures: 1. Checked if the signed assertion has the same ID value as the processed one 2. Validated XML Schema Not possible to insert two elements with the same ID values 24

25 Attack on OpenSAML 1. ID values checking: Basic idea using two identical ID values 2. XML Schema validation: 1. Put the into an extensible element (e.g. <Extensions>) 2. Two identical ID attributes (XML Xerces Parser bug) Which element is verified? C++ takes the first found element OpenSAML C++ Extensions Id= 123 Bob Id= 123 Signature SignedInfo Reference URI= #123 Admin Bob 25

26 Attack on OpenSAML OpenSAML C++ references the first found element OpenSAML Java references the last found element Extensions Bob Signature SignedInfo Reference Admin Bob Id= 123 Id= 123 URI= #123 Id= 123 Signature SignedInfo Reference URI= #123 Object Id= 123 Bob Admin Bob 26

27 Beyond Signature Wrapping: Signature Exclusion Lame but Worked against: Apache Axis2 JOSSO OpenAthens Admin Bob 27

28 SAML Signature Wrapping Summary Framework / Provider Signature Exclusion Signature Wrapping Apache Axis 2 X X Guanxi Higgins 1.x IBM Datapower XS40 JOSSO X X WIF OIOSAML OpenAM OneLogin OpenAthens OpenSAML Salesforce SimpleSAMLphp WSO2 X X X X X X X X X X Enterprise Applications Danish egovernment Joomla, Wordpress, SugarCRM, Drupal Shibboleth, SwissID 28

29 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

30 Countermeasures General problem: different processing modules different views Signatur Id= 123 Valid / Invalid e SignedI nfo Referen SignatureValue ce DigestVa lue URI= #123 Signature Verification Evaluation User Bob Id-based /// 30

31 Countermeasure 1: Strict Filtering Forward only signed elements Also called see-only-what-is-signed Signature Signature Verification Evaluation 31

32 Countermeasure 2: Data Tainting Signature verification generates a random number r The verified data is tainted with r r is forwarded to the evaluation logic Signature Verification r= xyz Evaluation Signature r = xyz Signature r = xyz 32

33 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

34 Penetration Test Library Considered all the attack vectors: 1. Different permutations of signed / processed s 34

35 Attack Permutations Id= 123 Signature SignedInfo Reference URI= #123 DigestValue SignatureValue Bob There are many possibilities Dependant of its position Dependant of its parent Hard to test manually

36 Penetration Test Library Considered all the attack vectors: 1. Different permutations of signed / processed s 2. Id processing 36

37 Id processing Signature SignedInfo Reference Id= Id= 123 URI= #123 Three possibilities 1. Same Id value 2. Different Id value 3. Remove Id value Object Bob Admin Bob Id= 123 Processing depends on verification and application logic

38 Penetration Test Library Considered all the attack vectors: 1. Different permutations of signed / processed s 2. Id processing 3. Signature exclusion attacks 38

39 Signature Exclusion Attack Id= 123 Signature SignedInfo Reference URI= #123 DigestValue SignatureValue Bob

40 Penetration Test Library Considered all the attack vectors: 1. Different permutations of signed / processed s 2. Id processing 3. Signature exclusion attacks 4. XML Schema extensions Further attacks on Salesforce interface Will be included in our WS-Attacker framework 40

41 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

42 Concept WS-Attacker WS-Attacker Framework Attack Plugins Attack 1 Attack 2 Attack 3 Modular Framework for Web Services Penetration Testing Goals: Easy to use Easy to develop attacks

43 WS-Attacker s Current Attacks SOAPAction Spoofing HTTP: getservertime SOAP: getadminconf Erlaube: getservertime Verbiete: getadminconf WS-Addressing Spoofing Server ReplyTo: Server B Server A XML Signature Wrapping for SOAP SAML over SOAP works fine, Browser/REST based is coming soon XML Denial of Service will be released in Januar XML Encryption Attack is currently developed Server B

44 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

45 Chose Target

46 Load WSDL

47 Send Testrequest

48 Chose Attack

49 Run WS-Attacker

50 Deeper Analysis

51 1. On Breaking SAML 1. Motivation Single Sign-On 2. Securing SAML with XML Signature 3. XML Signature Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 2. WS-Attacker 1. Penetration Test Library 2. Concept: WS-Attacker 3. Practical Evaluation Example 3. Conclusion

52 Conclusion We showed critical Signature Wrappings in SAML 12 out of 14 frameworks affected! All providers informed Huge number of XSW permutations Not easy to find manually Very time consuming when created manually WS-Attacker Automatic penetration testing Open Source New Attacks for XML-DoS and XML Encryption under development 52