Hacking SAML Part: 2

Required Tools :

• SAML Raider - burp extension (Includes “SAML Raider certificates” tab)

• SAML Editor - burp extension

• SAML tracer - browser plugin

Common Findings :

1. SAML Certificate Validity

2. SAML Signature Validation

3. XML Signature Wrapping

4. Message Replay

5. SAML RelayState URI Not Validated

6. SAML External Entity Injection

7. Access Control Checks

8. Reauthentication and Session Validation

9. Unsigned Logout Request

10. XSS in SAML Implementation

---

Now Let’s deep dive , how to perform the above test cases with the help of above mentioned burpsuite extensions:

SAML Certificate Validity :

Description : SAML messages should contain a timestamp of when the request was issued, when it expires or both. If the SAML message never expires or if the expiration is not honored, there is a greater risk of a message falling into the hands of an attacker. Check the message for timestamps, such as an IssueInstant or NotOnOrAfter assertion.

Remediation : It is recommended to keep the expiration window within 1-5 minutes and must not allow the message to be reproduced.

Steps to check this bug :

• Navigate to burp and send the SAML request to repeater and install the SAML Raider extension.

• Observe if the expiration window is reasonable, like 1-5 minutes.

• Now , again try to send the request after the expiration window, and verify the response is valid or not.

• If the response is valid → we need to let the developer know to fix the issue……………

  

  Now Let's Dive into more vulnerabilities of SAML …………..... Part 3... Coming Soon... 🚀