How to use Burp Suite to verify SAML Signature Wrapping attack

The Security Assertion Markup Language (SAML) is widely used to deploy

Posted by RITVN on February 16, 2018

How to use Burp Suite to verify SAML Signature Wrapping attack

  • Written by Huỳnh Huy Phong (HHP) from Safewhere team *

The Security Assertion Markup Language (SAML) is widely used to deploy Single Sign-On and federation identity solutions. The usual mechanism for this passes the SAML response certifying the user’s identity through the web browser, using a signature to prevent tampering. However, there ’re some XML signature wrapping (XSW) vulnerabilities in SAML protocol which were described in 2012 (On Breaking SAML: Be Whoever You Want to Be).

In this post, we will use SAML Raider which is an extension of Burp Suite to perform the XML Signature Wrapping (XSW) attacks that provides us the following:

  • XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.

image alt text

  • XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.

image alt text

  • XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.

image alt text

  • XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion.

image alt text

  • XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.

image alt text

  • XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.

image alt text

  • XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.

image alt text

  • XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.

image alt text

At first, we open the Burp Suite,then browse to Extender–> BApp store, choose the extension: SAML Raider and select Install:

image alt text

For the repeated attempts, you may benefit from intercepting a single endpoint for the SAML2.0 response in Burp using interception options like this:

image alt text

Now let’s modify the SAML Assertion, which is received from the Identity Provider (IdP) and is sent from the browser to the Service Provider (SP) at the SAML Raider tab where I choose: XSW3 and select “Apply XSW”

image alt text

The result from the below web application means it is doing XML validation check correctly

image alt text

We are hiring

Would you like to work with the coolest IT guys in Vietnam? Apply to one of the following jobs:

C# / .Net Developer
Senior / Specialist
1000 – 3000 USD

Job requires a high level of technical skills and experience within Microsoft technologies and offers high salary, exciting projects, and constant challenges in terms of technology and design.

Tell me more
Xamarin Developer
Experienced
800 – 1500 USD

Want to have fun developing innovative Xamarin products? We are developing a number of exciting games and social applications of our own as well as supporting third party clients.

Tell me more
Technical Writer
Advanced English
2000 – 4000 USD

Job requires both good English as well as the ability to understand complex technical subjects and systems. You will mainly be writing SEO articles and guidelines for our many products.

Tell me more
Front-End Developers
Experienced
1000 – 2500 USD

We are looking to fill Developer positions with a new team that uses JavaScript, TypeScript, HTML5, AngularJS.
Knowing Ionic framework or NodeJs is a plus, but is not mandatory.

Tell me more
.NET/WPF Developers
Advanced English
1000 – 3000 USD

2 Senior Developer positions in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.

Tell me more
Ruby/Cucumber QA/Test engineering
Advanced English
1000 – 2000 USD

1 Senior QA/Test Engineer in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.

Tell me more