On Breaking SAML: Be Whoever You Want to Be

Similar documents
On Breaking SAML: Be Whoever You Want to Be OWASP The OWASP Foundation Juraj Somorovsky and Christian Mainka

On Breaking SAML: Be Whoever You Want to Be

Is SAML An Effective Framework For Secure SSO? Category: Security Technology Secure Access And Defenses

How To Test For A Signature On A Password On A Webmail Website In Java (For Free)

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Penetration Test Tool for XML-based Web Services

JVA-122. Secure Java Web Development

Authentication Context Classes for Levels of Assurance for the Swedish eid Framework

SAML and OAUTH comparison

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

A trusted identity management system is not only essential for ensuring your customers safety and confidence.

Single Sign-On Implementation Guide

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Biometric Single Sign-on using SAML

Compass Security. [The ICT-Security Experts] SAML 2.0 [Beer Talk Berlin 2/16/2016] Stephan Sekula

Biometric Single Sign-on using SAML Architecture & Design Strategies

Interoperate in Cloud with Federation

Automatic Penetration Test Tool for Detection of XML Signature Wrapping Attacks in Web Services

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

XML Signatures in an Enterprise Service Bus Environment

User Identity and Authentication

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Flexible Identity Federation

Copyright: WhosOnLocation Limited

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Securing Cloud Applications Using Windows Azure Access Control

SAML-Based SSO Solution

On the Insecurity of XML Security

Egnyte Single Sign-On (SSO) Installation for OneLogin

The Password Problem Will Only Get Worse

Single Sign-On Implementation Guide

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Single Sign On. SSO & ID Management for Web and Mobile Applications

Single Sign-On Implementation Guide

Copyright Pivotal Software Inc, of 10

Practical Security Evaluation of SAML-based Single Sign-On Solutions

SAML Authentication Quick Start Guide

Secure Services withapache CXF

Single Sign on Using SAML

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

Using SAML for Single Sign-On in the SOA Software Platform

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Toward campus portal with shibboleth middleware

Lecture Notes for Advanced Web Security 2015

A Centralized Multimodal Unified Authentication Platform for Web-based Application

How To Use Saml 2.0 Single Sign On With Qualysguard

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

IBM WebSphere Application Server

Web Based Single Sign-On and Access Control

Identity Server Guide Access Manager 4.0

Securing Web Services With SAML

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

Web Access Management and Single Sign-On

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

SAM Context-Based Authentication Using Juniper SA Integration Guide

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

IBM WebSphere Application Server

Federated Identity for Cloud Computing and Cross-organization Collaboration

Identity Federation Broker for Service Cloud

SAML single sign-on configuration overview

IAM Application Integration Guide

OIOSAML Rich Client to Browser Scenario Version 1.0

ENTERPRISE MOBILE BACKEND AS A SERVICE EVALUATION CHECKLIST

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

An SAML Based SSO Architecture for Secure Data Exchange between User and OSS

Introduction to SAML

Practical Invalid Curve Attacks on TLS-ECDH

Enhancing Web Application Security

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Access Management Analysis of some available solutions

DIGIPASS as a Service. Product Guide

Trend of Federated Identity Management for Web Services

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Approaches and challenges for a SSO enabled extranet using Jasig CAS. Florian Holzschuher René Peinl

SAML SSO Configuration

Single Sign On Integration Guide. Document version:

Web Single Sign-On Authentication using SAML

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

2 Authentication and identity management services in multi-platform cloud infrastructure

Transcription:

On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky 1, Andreas Mayer 2, Jörg Schwenk 1, Marco Kampmann 1, and Meiko Jensen 1 1 Horst-Görtz Institute for IT-Security, Ruhr-University Bochum 2 Adolf Würth GmbH & Co. KG 1

Motivation Single Sign-On Too many identities / passwords Solution: Single Sign-On Website Visit and redirect Service Provider User: Role: guest User: Role: guest User: Role: guest Identity Provider Advantages: one password for users, no password management for Service Providers 2 2

Motivation Single Sign-On OpenID OAuth Security Markup Language (SAML) OASIS Web Services or browser-based Single Sign-On Authentication Statements stored in s 3 3

Motivation Single Sign-On How do we secure the messages? Does SSL / TLS help? Website Visit and redirect Service Provider User: Role: guest User: Role: guest User: Role: guest Identity Provider Messages secured only during transport! 4 4

Motivation Single Sign-On Does SSL / TLS help? Website Visit and redirect Service Provider User: Admin Role: Admin guest User: Admin Role: Admin guest User: Role: guest Identity Provider Need for message level security! 5 5

Motivation Single Sign-On Message level security? Website Visit and redirect Service Provider User: Role: guest User: Role: guest User: Role: guest Identity Provider Realized using XML s Are we secure? 6 6

Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 7 7

SAML <saml: ID="123"> <saml:issuer>www.secureidp.com</saml:issuer> <saml:> <saml:nameid>@secureidp.com</saml:nameid> </saml:> <saml:conditions NotBefore="2011-08-08T14:42:00Z" NotOnOrAfter="2011-08-08T14:47:00Z"> <saml:audiencerestriction> <saml:audience> www.securesp.com</saml:audience> </saml:audiencerestriction> </saml:conditions> </saml:> Issuer SecureIdP NameID Conditions Audience SecureSP 8 8

Securing SAML with XML Two typical usages Id= 123 SignedInfo Reference URI= #123 DigestValue Value Id= 123 SignedInfo Reference URI= #123 DigestValue Value 9 9

Securing SAML with XML Naive (typical) processing: 1. validation: Id-based 2. evaluation: /// SignedInfo Reference DigestValue Id= 123 URI= #123 Value Signatur e SignedI nfo Referen Value ce DigestVa lue Id= 123 URI= #123 Verification valid Evaluation 10 10

Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 11 11

XML Wrapping Attack on SAML Id= 123 Id= evil SignedInfo Reference URI= #123 Id= 123 1. Place the original including its element into another element 2. Change the Id of the original element 3. The Reference now points to the original element: signature is valid 4. Insert a new Admin 12 12

XML Wrapping Attack on SAML SignedInfo Reference Id= 123 Id= evil URI= #123 Id= 123 Signat ure Signe dinfo Refer ence Admin Id= 123 Id= evil URI= #123 Id= 123 Verification Admin valid Evaluation Admin 13 13

XML Wrapping Attack on SAML Threat model Change arbitrary data in the :, Timestamp... Attacker: everybody who can gain a signed... 1. Registering by the Identity Provider 2. Message eavesdropping 3. Google Hacking Single Point of Failure! 14 14

XML Wrapping Attack on SAML How about them? Framework / Provider Application Apache Axis 2 SOAP WSO2 Web Services Guanxi HTTP Sakai Project (www.sakaiproject.org) Higgins 1.x HTTP Identity project IBM Datapower XS40 SOAP Enterprise XML Security Gateway JOSSO HTTP Motorola, NEC, Redhat WIF HTTP Microsoft Sharepoint 2010 OIOSAML HTTP Danish egovernment (e.g. www.virk.dk) OpenAM HTTP Enterprise-Class Open Source SSO OneLogin HTTP Joomla, Wordpress, SugarCRM, Drupal OpenAthens HTTP UK Federation (www.eduserv.org.uk) OpenSAML HTTP Shibboleth, SuisseID Salesforce HTTP Cloud Computing and CRM SimpleSAMLphp HTTP Danish e-id Federation (www.wayf.dk) WSO2 HTTP ebay, Deutsche Bank, HP 15 15

Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 16 16

XML Wrapping Attack on SAML Results Guanxi, JOSSO WSO2 Id= 123 Id= evil SignedInfo Reference URI= #123 Id= 123 Admin SignedInfo Reference Admin Id= 123 Id= evil Id= 123 URI= #123 17 17

XML Wrapping Attack on SAML Results Higgins, Apache Axis2, IBM XS 40 OpenAM, Salesforce Id= evil Id= evil Admin Admin SignedInfo Id= 123 SignedInfo Reference URI= #123 Reference URI= #123 Id= 123 18 18

Attack on OpenSAML Is Wrapping always that easy? OpenSAML implemented a few countermeasures: 1. Checked if the signed assertion has the same ID value as the processed one 2. Validated XML Schema Not possible to insert two elements with the same ID values 19 19

Attack on OpenSAML 1. ID values checking: Basic idea using two identical ID values 2. XML Schema validation: 1. Put the into an extensible element (e.g. <Extensions>) 2. Two identical ID attributes (XML Xerces Parser bug) Which element is verified? C++ takes the first found element OpenSAML C++ Extensions Id= 123 Id= 123 SignedInfo Reference URI= #123 Admin 20 20

Attack on OpenSAML OpenSAML C++ references the first found element OpenSAML Java references the last found element Extensions SignedInfo Reference Admin Id= 123 Id= 123 URI= #123 Id= 123 SignedInfo Reference URI= #123 Object Id= 123 Admin 21 21

Beyond Wrapping: Exclusion Lame but Worked against: Apache Axis2 JOSSO OpenAthens Admin 22 22

SAML Wrapping Summary Framework / Provider Exclusion Wrapping Apache Axis 2 X X Guanxi X Higgins 1.x X IBM Datapower XS40 X JOSSO X X WIF OIOSAML X OpenAM X OneLogin X OpenAthens X OpenSAML X Salesforce X SimpleSAMLphp WSO2 X Enterprise Applications Danish egovernment Joomla, Wordpress, SugarCRM, Drupal Shibboleth, SwissID 23 23

Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 24 24

Penetration Test Library Considered all the attack vectors: 1. Different permutations of signed / processed s 2. Id processing 3. exclusion attacks 4. XML Schema extensions Further attacks on Salesforce interface Will be included in our WS-Attacker framework http://ws-attacker.sourceforge.net/ 25 25

Overview 1. Securing SAML with XML 2. XML Wrapping Attacks 3. Practical Evaluation 4. Penetration Test Library 5. Countermeasures 6. Conclusion 26 26

Countermeasures General problem: different processing modules have different views on documents Signatur Id= 123 Valid / Invalid e SignedI nfo Referen ce DigestVa lue Value URI= #123 Verification Evaluation User Id-based /// 27 27

Countermeasure 1: Strict Filtering Forward only signed elements Also called see-only-what-is-signed Verification Evaluation 28 28

Countermeasure 2: Data Tainting verification generates a random number r The verified data is tainted with r r is forwarded to the evaluation logic Verification r= xyz Evaluation r = xyz r = xyz 29 29

Overview 1. SAML 2. Securing SAML with XML 3. XML Wrapping Attacks 4. Practical Evaluation 5. Countermeasures 6. Conclusion 30 30

Conclusion We showed critical Wrappings in SAML, 12 out of 14 frameworks affected! All providers informed Wrapping known since 2005, but: Not in focus of research community Nearly all implementations are vulnerable Not easy to fix: many permutations, vulnerable libraries Be aware of Wrapping when applying: In Web Services SAML Beyond XML: Could be applied in all the scenarios where different processing modules have different views on documents 31 31

Thank you for your attention Juraj Somorovsky 1, Andreas Mayer 2, Jörg Schwenk 1, Marco Kampmann 1, and Meiko Jensen 1 1 Horst-Görtz Institute for IT-Security, Ruhr-University Bochum 2 Adolf Würth GmbH & Co. KG 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information