On Breaking SAML: Be Whoever You Want to Be

Transcription

1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky 1, Andreas Mayer 2, Jörg Schwenk 1, Marco Kampmann 1, and Meiko Jensen 1 1 Horst-Görtz Institute for IT-Security, Ruhr-University Bochum 2 Adolf Würth GmbH & Co. KG 1

2 Motivation Single Sign-On Too many identities / passwords Solution: Single Sign-On Website Visit and redirect Service Provider User: Role: guest User: Role: guest User: Role: guest Identity Provider Advantages: one password for users, no password management for Service Providers 2 2

3 Motivation Single Sign-On OpenID OAuth Security Markup Language (SAML) OASIS Web Services or browser-based Single Sign-On Authentication Statements stored in s 3 3

4 Motivation Single Sign-On How do we secure the messages? Does SSL / TLS help? Website Visit and redirect Service Provider User: Role: guest User: Role: guest User: Role: guest Identity Provider Messages secured only during transport! 4 4

5 Motivation Single Sign-On Does SSL / TLS help? Website Visit and redirect Service Provider User: Admin Role: Admin guest User: Admin Role: Admin guest User: Role: guest Identity Provider Need for message level security! 5 5

6 Motivation Single Sign-On Message level security? Website Visit and redirect Service Provider User: Role: guest User: Role: guest User: Role: guest Identity Provider Realized using XML s Are we secure? 6 6

7 Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 7 7

8 SAML <saml: ID="123"> <saml:issuer> <saml:> </saml:> <saml:conditions NotBefore=" T14:42:00Z" NotOnOrAfter=" T14:47:00Z"> <saml:audiencerestriction> <saml:audience> </saml:audiencerestriction> </saml:conditions> </saml:> Issuer SecureIdP NameID Conditions Audience SecureSP 8 8

9 Securing SAML with XML Two typical usages Id= 123 SignedInfo Reference URI= #123 DigestValue Value Id= 123 SignedInfo Reference URI= #123 DigestValue Value 9 9

10 Securing SAML with XML Naive (typical) processing: 1. validation: Id-based 2. evaluation: /// SignedInfo Reference DigestValue Id= 123 URI= #123 Value Signatur e SignedI nfo Referen Value ce DigestVa lue Id= 123 URI= #123 Verification valid Evaluation 10 10

11 Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 11 11

12 XML Wrapping Attack on SAML Id= 123 Id= evil SignedInfo Reference URI= #123 Id= Place the original including its element into another element 2. Change the Id of the original element 3. The Reference now points to the original element: signature is valid 4. Insert a new Admin 12 12

13 XML Wrapping Attack on SAML SignedInfo Reference Id= 123 Id= evil URI= #123 Id= 123 Signat ure Signe dinfo Refer ence Admin Id= 123 Id= evil URI= #123 Id= 123 Verification Admin valid Evaluation Admin 13 13

14 XML Wrapping Attack on SAML Threat model Change arbitrary data in the :, Timestamp... Attacker: everybody who can gain a signed Registering by the Identity Provider 2. Message eavesdropping 3. Google Hacking Single Point of Failure! 14 14

15 XML Wrapping Attack on SAML How about them? Framework / Provider Application Apache Axis 2 SOAP WSO2 Web Services Guanxi HTTP Sakai Project ( Higgins 1.x HTTP Identity project IBM Datapower XS40 SOAP Enterprise XML Security Gateway JOSSO HTTP Motorola, NEC, Redhat WIF HTTP Microsoft Sharepoint 2010 OIOSAML HTTP Danish egovernment (e.g. OpenAM HTTP Enterprise-Class Open Source SSO OneLogin HTTP Joomla, Wordpress, SugarCRM, Drupal OpenAthens HTTP UK Federation ( OpenSAML HTTP Shibboleth, SuisseID Salesforce HTTP Cloud Computing and CRM SimpleSAMLphp HTTP Danish e-id Federation ( WSO2 HTTP ebay, Deutsche Bank, HP 15 15

16 Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 16 16

17 XML Wrapping Attack on SAML Results Guanxi, JOSSO WSO2 Id= 123 Id= evil SignedInfo Reference URI= #123 Id= 123 Admin SignedInfo Reference Admin Id= 123 Id= evil Id= 123 URI= #

18 XML Wrapping Attack on SAML Results Higgins, Apache Axis2, IBM XS 40 OpenAM, Salesforce Id= evil Id= evil Admin Admin SignedInfo Id= 123 SignedInfo Reference URI= #123 Reference URI= #123 Id=

19 Attack on OpenSAML Is Wrapping always that easy? OpenSAML implemented a few countermeasures: 1. Checked if the signed assertion has the same ID value as the processed one 2. Validated XML Schema Not possible to insert two elements with the same ID values 19 19

20 Attack on OpenSAML 1. ID values checking: Basic idea using two identical ID values 2. XML Schema validation: 1. Put the into an extensible element (e.g. <Extensions>) 2. Two identical ID attributes (XML Xerces Parser bug) Which element is verified? C++ takes the first found element OpenSAML C++ Extensions Id= 123 Id= 123 SignedInfo Reference URI= #123 Admin 20 20

21 Attack on OpenSAML OpenSAML C++ references the first found element OpenSAML Java references the last found element Extensions SignedInfo Reference Admin Id= 123 Id= 123 URI= #123 Id= 123 SignedInfo Reference URI= #123 Object Id= 123 Admin 21 21

22 Beyond Wrapping: Exclusion Lame but Worked against: Apache Axis2 JOSSO OpenAthens Admin 22 22

23 SAML Wrapping Summary Framework / Provider Exclusion Wrapping Apache Axis 2 X X Guanxi X Higgins 1.x X IBM Datapower XS40 X JOSSO X X WIF OIOSAML X OpenAM X OneLogin X OpenAthens X OpenSAML X Salesforce X SimpleSAMLphp WSO2 X Enterprise Applications Danish egovernment Joomla, Wordpress, SugarCRM, Drupal Shibboleth, SwissID 23 23

24 Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 24 24

25 Penetration Test Library Considered all the attack vectors: 1. Different permutations of signed / processed s 2. Id processing 3. exclusion attacks 4. XML Schema extensions Further attacks on Salesforce interface Will be included in our WS-Attacker framework

26 Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 26 26

27 Countermeasures General problem: different processing modules have different views on documents Signatur Id= 123 Valid / Invalid e SignedI nfo Referen ce DigestVa lue Value URI= #123 Verification Evaluation User Id-based /// 27 27

28 Countermeasure 1: Strict Filtering Forward only signed elements Also called see-only-what-is-signed Verification Evaluation 28 28

29 Countermeasure 2: Data Tainting verification generates a random number r The verified data is tainted with r r is forwarded to the evaluation logic Verification r= xyz Evaluation r = xyz r = xyz 29 29

30 Overview 1. SAML 2. Securing SAML with XML 3. XML Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 6. Conclusion 30 30

31 Conclusion We showed critical Wrappings in SAML, 12 out of 14 frameworks affected! All providers informed Wrapping known since 2005, but: Not in focus of research community Nearly all implementations are vulnerable Not easy to fix: many permutations, vulnerable libraries Be aware of Wrapping when applying: In Web Services SAML Beyond XML: Could be applied in all the scenarios where different processing modules have different views on documents 31 31

32 Thank you for your attention Juraj Somorovsky 1, Andreas Mayer 2, Jörg Schwenk 1, Marco Kampmann 1, and Meiko Jensen 1 1 Horst-Görtz Institute for IT-Security, Ruhr-University Bochum 2 Adolf Würth GmbH & Co. KG 32