1 on breaking saml: be whoever you want to be juraj somorovsky, 21st usenix security symposium on...
TRANSCRIPT
![Page 1: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/1.jpg)
1On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
On Breaking SAML: Be Whoever You Want to Be
Juraj Somorovsky1, Andreas Mayer2, Jörg Schwenk1, Marco Kampmann1, and Meiko Jensen1
1Horst-Görtz Institute for IT-Security, Ruhr-University Bochum2Adolf Würth GmbH & Co. KG
![Page 2: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/2.jpg)
2On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Service Provider
Motivation – Single Sign-On
2
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: BobRole: guest
• Too many identities / passwords• Solution: Single Sign-On
• Advantages: one password for users, no password management for Service Providers
![Page 3: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/3.jpg)
3On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
• OpenID• OAuth• Security Assertion Markup Language (SAML)
• OASIS• Web Services or browser-based Single Sign-On• Authentication Statements stored in Assertions
3
Motivation – Single Sign-On
![Page 4: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/4.jpg)
4On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Service Provider
Motivation – Single Sign-On
• How do we secure the messages? • Does SSL / TLS help?
• Messages secured only during transport!
4
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: BobRole: guest
![Page 5: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/5.jpg)
5On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
User: BobRole: guest
Service Provider
Motivation – Single Sign-On
• Does SSL / TLS help?
• Need for message level security!
5
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: AdminRole: Admin
User: AdminRole: Admin
![Page 6: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/6.jpg)
6On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
• Message level security?
• Realized using XML Signatures• Are we secure?
Service Provider
Motivation – Single Sign-On
6
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: BobRole: guestUser: Admin
Role: Admin
![Page 7: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/7.jpg)
7On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 7
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
![Page 8: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/8.jpg)
8On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 8
<saml:Assertion ID="123"> <saml:Issuer>www.SecureIdP.com</saml:Issuer> <saml:Subject> <saml:NameID>[email protected]</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2011-08-08T14:42:00Z" NotOnOrAfter="2011-08-08T14:47:00Z"> <saml:AudienceRestriction> <saml:Audience> www.SecureSP.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions></saml:Assertion>
SAML Assertion
Assertion
Subject
Issuer
NameID
Conditions
Audience
SecureIdP
Bob
SecureSP
![Page 9: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/9.jpg)
9On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 9
Securing SAML with XML Signature
Assertion
Subject
Binding
SignatureValue
Signature
SignedInfo
Reference URI=”#123”
DigestValue
Id=”123”
Subject
Assertion
SignatureValue
Signature
SignedInfo
Reference URI=”#123”
DigestValue
Id=”123”
Bob Bob
• Two typical usages
Binding
![Page 10: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/10.jpg)
10On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 10
Securing SAML with XML Signature
Assertion
Subject
Binding
SignatureValue
Signature
SignedInfo
Reference URI=”#123”
DigestValue
Id=”123”
Bob
• Naive (typical) processing:1. Signature validation: Id-based2. Assertion evaluation: /Binding/Assertion/Subject
Signature Verification
Assertion EvaluationAssertion
Subject
Binding
SignatureValue
Signature
SignedInfo
Reference URI=”#123”
DigestValue
Id=”123”
Bob
Bob
valid
![Page 11: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/11.jpg)
11On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 11
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
![Page 12: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/12.jpg)
12On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 12
XML Signature Wrapping Attack on SAML
1. Place the original Assertion including its Binding element into another element
2. Change the Id of the original element
3. The Reference now points to the original element: signature is valid
4. Insert a new Assertion
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
![Page 13: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/13.jpg)
13On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 13
XML Signature Wrapping Attack on SAML
Signature Verification
Assertion Evaluation
valid
AdminAssertion
Subject
BindingSignat
ureSignedInfoRefer
ence URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
![Page 14: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/14.jpg)
14On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 14
XML Signature Wrapping Attack on SAML – Threat model• Change arbitrary data in the Assertion: Subject, Timestamp ...• Attacker: everybody who can gain a signed Assertion...
1. Registering by the Identity Provider2. Message eavesdropping3. Google Hacking
• Single Point of Failure!
![Page 15: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/15.jpg)
16On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
XML Signature Wrapping Attack on SAML
• How about them?Framework / Provider Binding Application
Apache Axis 2 SOAP WSO2 Web Services
Guanxi HTTP Sakai Project (www.sakaiproject.org)
Higgins 1.x HTTP Identity project
IBM Datapower XS40 SOAP Enterprise XML Security Gateway
JOSSO HTTP Motorola, NEC, Redhat
WIF HTTP Microsoft Sharepoint 2010
OIOSAML HTTP Danish eGovernment (e.g. www.virk.dk)
OpenAM HTTP Enterprise-Class Open Source SSO
OneLogin HTTP Joomla, Wordpress, SugarCRM, Drupal
OpenAthens HTTP UK Federation (www.eduserv.org.uk)
OpenSAML HTTP Shibboleth, SuisseID
Salesforce HTTP Cloud Computing and CRM
SimpleSAMLphp HTTP Danish e-ID Federation (www.wayf.dk)
WSO2 HTTP eBay, Deutsche Bank, HP
16
![Page 16: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/16.jpg)
17On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 17
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
![Page 17: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/17.jpg)
18On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
XML Signature Wrapping Attack on SAML – Results
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
Guanxi, JOSSO WSO2
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
18
![Page 18: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/18.jpg)
19On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
XML Signature Wrapping Attack on SAML – Results
Binding
Signature
SignedInfo
Reference URI=”#123”
Assertion
Subject
Id=”123”
Bob
Id=”evil”Assertion
Subject
Admin
Binding
Higgins, Apache Axis2, IBM XS 40 OpenAM, Salesforce
Binding
Signature
SignedInfo
Reference URI=”#123”
Assertion
Subject
Id=”123”
Bob
Id=”evil”Assertion
Subject
Admin
19
![Page 19: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/19.jpg)
20On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Attack on OpenSAML
20
• Is Signature Wrapping always that easy?
• OpenSAML implemented a few countermeasures:1. Checked if the signed assertion has the same ID value as
the processed one2. Validated XML Schema
• Not possible to insert two elements with the same ID values
![Page 20: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/20.jpg)
21On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Attack on OpenSAML
21
1. ID values checking: Basic idea – using two identical ID values
2. XML Schema validation:1. Put the Assertion into an
extensible element (e.g. <Extensions>)
2. Two identical ID attributes (XML Xerces Parser bug)
• Which element is verified?
C++ takes the first found element
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Extensions
Id=”123”
Bob
Assertion
Subject
Admin
Id=”123”
OpenSAML C++
![Page 21: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/21.jpg)
22On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Attack on OpenSAML
22
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Extensions
Id=”123”
Bob
Assertion
Subject
Admin
Id=”123”
OpenSAML C++ referencesthe first found element
OpenSAML Java referencesthe last found element
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Object
Id=”123”
Bob
Assertion
Subject
Admin
Id=”123”
![Page 22: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/22.jpg)
23On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Beyond Signature Wrapping: Signature Exclusion
23
• Lame but …
• …Worked against:– Apache Axis2– JOSSO– OpenAthens
Assertion
Subject
Binding
Signature
SignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Id=”123”
Bob
Assertion
Subject
Admin
![Page 23: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/23.jpg)
24On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
SAML Signature Wrapping – Summary
24
Framework / Provider Signature Exclusion Signature Wrapping
Apache Axis 2 X X
Guanxi X
Higgins 1.x X
IBM Datapower XS40 X
JOSSO X X
WIF
OIOSAML X
OpenAM X
OneLogin X
OpenAthens X
OpenSAML X
Salesforce X
SimpleSAMLphp
WSO2 X
Danish eGovernment
Shibboleth, SwissID …
Enterprise Applications
Joomla, Wordpress, SugarCRM, Drupal
![Page 24: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/24.jpg)
25On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 25
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
![Page 25: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/25.jpg)
26On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 26
• Considered all the attack vectors:1. Different permutations of signed / processed Assertions2. Id processing3. Signature exclusion attacks4. XML Schema extensions
• Further attacks on Salesforce interface• Will be included in our WS-Attacker framework
• http://ws-attacker.sourceforge.net/
Penetration Test Library
![Page 26: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/26.jpg)
27On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 27
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
![Page 27: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/27.jpg)
28On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 28
• General problem: different processing modules have different views on documents
Countermeasures
Signature Verification
Assertion Evaluation
Valid /Invalid
Id-based
/Binding/Assertion/Subject
Assertion
Subject
Binding
SignatureValue
Signature
SignedInfo
Reference URI=”#123”
DigestValue
Id=”123”
Bob
User
![Page 28: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/28.jpg)
29On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 29
• Forward only signed elements• Also called see-only-what-is-signed
Countermeasure 1: Strict Filtering
Binding
Assertion
AssertionSignature
Verification
Signature
Binding
Assertion
Assertion Evaluation
![Page 29: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/29.jpg)
30On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 30
• Signature verification generates a random number r• The verified data is tainted with r• r is forwarded to the Assertion evaluation logic
Countermeasure 2: Data Tainting
Binding
Assertion
Assertion Signature Verification
Signature
Assertion Evaluation
Binding
Assertion
Assertion
Signature r = xyzr = xyz
r=”xyz”
![Page 30: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/30.jpg)
31On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 31
Overview
1. SAML Assertion2. Securing SAML with XML Signature3. XML Signature Wrapping Attacks4. Practical Evaluation5. Countermeasures6. Conclusion
![Page 31: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/31.jpg)
32On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 32
• We showed critical Signature Wrappings in SAML, 12 out of 14 frameworks affected!
• All providers informed• Signature Wrapping known since 2005, but:
• Not in focus of research community• Nearly all implementations are vulnerable• Not easy to fix: many permutations, vulnerable libraries
• Be aware of Signature Wrapping when applying:• In Web Services• SAML
•Beyond XML: Could be applied in all the scenarios where different processing modules have different views on documents
Conclusion
![Page 32: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/32.jpg)
33On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Thank you for your attention
Juraj Somorovsky1, Andreas Mayer2, Jörg Schwenk1, Marco Kampmann1, and Meiko Jensen1
1Horst-Görtz Institute for IT-Security, Ruhr-University Bochum2Adolf Würth GmbH & Co. KG
![Page 33: 1 On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky](https://reader031.vdocuments.us/reader031/viewer/2022032705/56649dbd5503460f94aaf396/html5/thumbnails/33.jpg)
34On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 34
Responsible Disclosure
• Apache Axis 2 05.04.2011 ???• Guanxi 25.07.2011 ???• Higgins 1.x 24.04.2011 Open• IBM XS40 Oct 2011 ??• JOSSO 18.02.2011 March 2011• OIOSAML 25.07.2011 03.08.2011• OpenAM 03.12.2011 07.12.2011• OneLogin 03.06.2011 ???• OpenAthens 29.07.2011 05.08.2011• OpenSAML 18.07.2011 25.07.2011• Salesforce 03.06.2011 13.06.2011• WSO2 16.02.2011 18.07.2011