The Security Assertion Markup Language (SAML) is an open standard for exchanging authorization and authentication information.
Table of Contents
Vulnerability description for reporting available in VulnDB (GitHub)
WS-Federation
Web Services Federation Language (WS-Federation) is an older Microsoft-backed identity federation standard that predates SAML 2.0 widespread adoption. Common with ADFS (Active Directory Federation Services) and older Azure AD configurations, which default to WS-Federation.
If you need a SAMLResponse instead, the IdP needs to be configured to use the SAML 2.0 POST binding rather than WS-Federation.
- Browser redirects to IdP with “wa=wsignin1.0&wtrealm=…”
- IdP authenticates user and POSTs back a “wresult” parameter
- “wresult” contains a RequestSecurityTokenResponse (RSTR) XML envelope, which itself wraps a SAML 1.1 assertion (or sometimes SAML 2.0)
Testing with Burp Suite
Filter Proxy history on “wresult” or “RequestSecurityTokenResponse” to confirm.
wa=wsignin1.0&wresult=%3Ct%3ARequestSecurityTokenResponse+xmlns%3At%3D%22Inside wresult, look for:
<t:RequestSecurityTokenResponse> : the wrapper
<saml:Assertion> : the actual identity claim inside it
<t:TokenType> : confirms what assertion format is usedTesting
Use Burp Suite with SAMLRaider extension.
Use a private window (or Incognito mode) in Firefox to test
SAMLRaider
SAMLRaider is an extension for Burp Suite.
Bug in Burp & SAMLRaider. See this thread (PortSwigger). Workaround is to click on the Pretty tab before forwarding the request.
SAMLRaider Manual Installation
SAML Raider – SAML2 Burp Extension (GitHub)
- Download the latest SAML Raider version: saml-raider-2.0.0.jar.
- Start Burp Suite and click in the Extensions tab on Add.
- Select Extension type Java, and choose saml-raider-2.0.0.jar.
- Click Next, then Close.
ADFS Pass Through
- Start Burp Suite.
- Click on tab Proxy->Proxy settings or click on Settings->Tools->Proxy.
- Under TLS pass through, click on Add.
- Add your ADFS server (like adfs.domain.com).
Intercept client SAML requests
For WS-Federation, match condition on “RequestSecurityTokenResponse”
- Click on tab Proxy->Proxy settings or click on Settings->Tools->Proxy.
- Under Request interception rules, click on Add.
- Boolean operator: And
- Match type: Body
- Match relationship: Matches
- Match condition: SAMLResponse
Under the SAML Raider Certificates:
- SAML 2.0 (default):
- SAML Request Param Name: SAMLRequest
- SAML Response Param Name: SAMLResponse
- WS-Federation + SAML 1.0:
- SAML Request Param Name: wauth
- SAML Response Param Name: wresult
XML round-trip
See SAML Attacks (HackTricks).
Signature Validation Bypass
Manually using the Inspector tab
- Intercept POST requests containing “SAMLResponse=”.
- Select the SAMLResponse value and click on the Inspector tab.
- Decode from URL encoding, then Base64.
- Edit the information from the SAMLResponse and click apply.
- Edit information like the username, group, or roles.
- Try removing the <Signature></Signature> element.
- Forward the request.
Using SAMLRaider
- Intercept POST requests containing “SAMLResponse=”.
- Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
- Edit information like the username, group, or roles
- Click on Remove Signatures.
- Forward the request.
XML Signature Wrapping (XSW)
Using SAMLRaider
- Intercept POST requests containing “SAMLResponse=”.
- Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
- Select one XSW attack (from 1 to 8).
- If applicable, click the Match and Replace button. Click on the + button to add as many as needed.
- Click Apply XSW.
- After applying the XSW, modify the appropriate assertion as needed. See table below.
- Forward the request.
- Repeat for all XSW attacks.
| Scenario | Description |
|---|---|
| XSW1 | Edit second assertion only (NOT tested) |
| XSW2 | Edit second assertion only |
| XSW3 | Edit first assertion only |
| XSW4 | Edit first assertion only (NOT tested) |
| XSW5 | Edit first assertion only |
| XSW6 | Edit first assertion only (NOT tested) |
| XSW7 | Edit first assertion only |
| XSW8 | Edit first assertion only (NOT tested) |
XXE & XSLT
Use SAMLRaider. See XML External Entity (XXE).
Using SAMLRaider
- Intercept POST requests containing “SAMLResponse=”.
- Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
- Click TestXXE or Test XSLT.
- Enter the Burp Collaborator URL. You can also change the payload to any other XXE payload.
- Forward the request.
- Repeat for all XSW attacks.
Certificate Faking
Certificate Faking is a technique to test if a Service Provider (SP) properly verifies that a SAML Message is signed by a trusted Identity Provider (IdP). It involves using a self-signed certificate to sign the SAML Response or Assertion, which helps in evaluating the trust validation process between SP and IdP.
Using SAMLRaider
- Intercept POST requests containing “SAMLResponse=”.
- Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
- If the response contains a signature, send the certificate to SAML Raider Certs using the Send Certificate to SAML Raider Certs button.
- In the SAML Raider Certificates tab, select the imported certificate and click Save and Self-Sign to create a self-signed clone of the original certificate.
- Go back to the intercepted request in Burp’s Proxy. Select the new self-signed certificate from the XML Signature dropdown.
- Remove any existing signatures with the Remove Signatures button.
- Sign the message or assertion with the new certificate using the (Re-)Sign Message or (Re-)Sign Assertion button, as appropriate.
- Forward the request.
- Repeat for all XSW attacks.
Golden SAML
- Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps (CyberArk)
- shimit (GitHub)
Identity Providers using SAML
List not exhaustive.
- Active Directory Federation Services (ADFS)
- ADFS provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity.
- Claims-based authentication involves authenticating a user based on a set of claims about that user’s identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services.
- Cyberark idaptive (Cyberark)
- Okta (Okta)
Reference
- SAML 2.0 (Wikipedia)
- OWASP SAML Security Cheat Sheet (OWASP)
- SAML Developer Tools (Samltool)
- SAML Attacks (HackTricks)
- WS-Federation (Microsoft)