XML signature wrapping attacks

[Ayush Agrawal]

Hi,

Basic Background:

•  Implemented SimpleSamlPhp version 1.18.7  on Yii1 framework as a service provider.
• While doing SSO I am able to successfully login into the system.

I want to validate SAML response return from IDP for XML Signature wrapping attack.

• XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.

[Tim van Dijen]

Hi Ayush,

You don't have to worry about that.. Our SAML-library is hardenened against signature wrapping attacks.

- Tim

Op vrijdag 13 mei 2022 om 11:18:00 UTC+2 schreef Ayush Agrawal:

[Ayush Agrawal]

Hi,

Thanks you so much for your response, Actually I am successfully able to login after applying the XZW1 type assertion from the burp suit.

Which I had mentioned above. So I want to manually add the validation which check the SAML response for multiple assertion. 

Apart from the above it would be great If you help me out, How to decode into XML form from the encoded SAML response via PHP.

[Tim van Dijen]

But are you able to impersonate someone else?

Op maandag 16 mei 2022 om 09:56:39 UTC+2 schreef Ayush Agrawal:

[Ayush Agrawal]

While trying to impersonate someone else it won't let me logged in.

[Tim van Dijen]

Good, then there is no vulnerability..

Op maandag 16 mei 2022 om 12:00:41 UTC+2 schreef Ayush Agrawal:

[Ayush Agrawal]

I am manipulating the Red color Assertionvalue DOM in the below image. 

[Ayush Agrawal]

Thank you for your such a quick response, So your suggesting that I am good to go no need to add additional validation for this multiple assertion.

[Tim van Dijen]

> Thank you for your such a quick response

You are welcome, but you didn't really leave me a choice when discussing possible security vulnerabilities on a public mailing list ;-)

Any way, yes you are good to go and you don't have to perform additional validations!

Op maandag 16 mei 2022 om 12:04:54 UTC+2 schreef Ayush Agrawal: