How to use Burp Suite to verify SAML Signature Wrapping attack
- Written by Huỳnh Huy Phong (HHP) from Safewhere team *
The Security Assertion Markup Language (SAML) is widely used to deploy Single Sign-On and federation identity solutions. The usual mechanism for this passes the SAML response certifying the user’s identity through the web browser, using a signature to prevent tampering. However, there ’re some XML signature wrapping (XSW) vulnerabilities in SAML protocol which were described in 2012 (On Breaking SAML: Be Whoever You Want to Be).
In this post, we will use SAML Raider which is an extension of Burp Suite to perform the XML Signature Wrapping (XSW) attacks that provides us the following:
- XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
- XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
- XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion.
- XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
- XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
- XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
- XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.
At first, we open the Burp Suite,then browse to Extender–> BApp store, choose the extension: SAML Raider and select Install:
For the repeated attempts, you may benefit from intercepting a single endpoint for the SAML2.0 response in Burp using interception options like this:
Now let’s modify the SAML Assertion, which is received from the Identity Provider (IdP) and is sent from the browser to the Service Provider (SP) at the SAML Raider tab where I choose: XSW3 and select “Apply XSW”
The result from the below web application means it is doing XML validation check correctly
We are hiring
Would you like to work with the coolest IT guys in Vietnam? Apply to one of the following jobs:
Job requires a high level of technical skills and experience within Microsoft technologies and offers high salary, exciting projects, and constant challenges in terms of technology and design.
Tell me moreWant to have fun developing innovative Xamarin products? We are developing a number of exciting games and social applications of our own as well as supporting third party clients.
Tell me moreJob requires both good English as well as the ability to understand complex technical subjects and systems. You will mainly be writing SEO articles and guidelines for our many products.
Tell me moreWe are looking to fill Developer positions with a new team that uses JavaScript, TypeScript, HTML5, AngularJS.
Knowing Ionic framework or NodeJs is a plus, but is not mandatory.
2 Senior Developer positions in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.
Tell me more1 Senior QA/Test Engineer in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.
Tell me more