Security Assertion Markup Language (SAML)

The Security Assertion Markup Language (SAML) is an open standard for exchanging authorization and authentication information.

SAMLRaider
Testing
Identity Providers using SAML

Vulnerability description for reporting available in VulnDB (GitHub)

SAMLRaider

SAMLRaider is an extension for Burp Suite.

Bug in Burp & SAMLRaider. See this thread (PortSwigger). Workaround is to click on the Pretty tab before forwarding the request.

SAMLRaider Manual Installation

The BApp Store install an old version (v.1.4.1, June 2022). Download the newest version from GitHub.

SAML Raider – SAML2 Burp Extension (GitHub)

  • Download the latest SAML Raider version: saml-raider-2.0.0.jar.
  • Start Burp Suite and click in the Extensions tab on Add.
  • Select Extension type Java, and choose saml-raider-2.0.0.jar.
  • Click Next, then Close.

ADFS Pass Through

  • Start Burp Suite.
  • Click on tab Proxy->Proxy settings or click on Settings->Tools->Proxy.
  • Under TLS pass through, click on Add.
    • Add your ADFS server (like adfs.domain.com).

Testing

Use private windows (or Incognito mode) to test!

Intercept client SAML requests

  • Click on tab Proxy->Proxy settings or click on Settings->Tools->Proxy.
  • Under Request interception rules, click on Add.
    • Boolean operator: And
    • Match type: Body
    • Match relationship: Matches
    • Match condition: SAMLResponse

XML round-trip

See SAML Attacks (HackTricks).

Signature Validation Bypass

Manually using the Inspector tab

  • Intercept POST requests containing “SAMLResponse=”.
  • Select the SAMLResponse value and click on the Inspector tab.
  • Decode from URL encoding, then Base64.
  • Edit the information from the SAMLResponse and click apply.
    • Edit information like the username, group, or roles.
    • Try removing the <Signature></Signature> element.
  • Forward the request.

Using SAMLRaider

  • Intercept POST requests containing “SAMLResponse=”.
  • Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
  • Edit information like the username, group, or roles
  • Click on Remove Signatures.
  • Forward the request.

XML Signature Wrapping (XSW)

Using SAMLRaider

  • Intercept POST requests containing “SAMLResponse=”.
  • Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
  • Select one XSW attack (from 1 to 8).
  • If applicable, click the Match and Replace button. Click on the + button to add as many as needed.
  • Click Apply XSW.
  • After applying the XSW, modify the appropriate assertion as needed. See table below.
  • Forward the request.
  • Repeat for all XSW attacks.
ScenarioDescription
XSW1Edit second assertion only (NOT tested)
XSW2Edit second assertion only
XSW3Edit first assertion only
XSW4Edit first assertion only (NOT tested)
XSW5Edit first assertion only
XSW6Edit first assertion only (NOT tested)
XSW7Edit first assertion only
XSW8Edit first assertion only (NOT tested)
Signature wrapping

XXE & XSLT

Use SAMLRaider. See XML External Entity (XXE).

Using SAMLRaider

  • Intercept POST requests containing “SAMLResponse=”.
  • Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
  • Click TestXXE or Test XSLT.
  • Enter the Burp Collaborator URL. You can also change the payload to any other XXE payload.
  • Forward the request.
  • Repeat for all XSW attacks.

Certificate Faking

Certificate Faking is a technique to test if a Service Provider (SP) properly verifies that a SAML Message is signed by a trusted Identity Provider (IdP). It involves using a self-signed certificate to sign the SAML Response or Assertion, which helps in evaluating the trust validation process between SP and IdP.

Using SAMLRaider

  • Intercept POST requests containing “SAMLResponse=”.
  • Click on the upper right corner to select the SAMLRaider extension (Pretty, Raw, Hex, SAML Raider).
  • If the response contains a signature, send the certificate to SAML Raider Certs using the Send Certificate to SAML Raider Certs button.
  • In the SAML Raider Certificates tab, select the imported certificate and click Save and Self-Sign to create a self-signed clone of the original certificate.
  • Go back to the intercepted request in Burp’s Proxy. Select the new self-signed certificate from the XML Signature dropdown.
  • Remove any existing signatures with the Remove Signatures button.
  • Sign the message or assertion with the new certificate using the (Re-)Sign Message or (Re-)Sign Assertion button, as appropriate.
  • Forward the request.
  • Repeat for all XSW attacks.

Golden SAML

Identity Providers using SAML

List not exhaustive.

  • Active Directory Federation Services (ADFS)
    • ADFS provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity.
    • Claims-based authentication involves authenticating a user based on a set of claims about that user’s identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services.
  • Cyberark idaptive (Cyberark)