Skip to content

SAML Hacking 101

Tips and tricks for hacking SAML SSO authentication flows.

Breaking Authentication Header Image

SAML Basics

Security Assertion Markup Language (SAML) is an XML-based, Single Sign-On (SSO) authentication flow between two parties: the Identity Provider (IDP) and the Service Provider (SP). The IDP (Okta, Auth0, etc) would be the central identity and authentication/authorization system that is connected to an org's ActiveDirectory for example. The SP would be the application providing the protected service that the end user is attempting to reach.

In a typical scenario, a user navigates to a protected application, the app redirects the user to the IDP, the user authenticates to the IDP, then the IDP returns a SAML Assertion to the user, which they then forward to the app to login. In order for the app to verify that the IDP has indeed authenticated the user, the app is supposed to validate the assertion's XML signatures - which would protect the assertion from tampering. Hint hint…

Common Issues

Because of the complexity of SAML flows, app developers often make mistakes when writing their own SAML consumption code which can lead to XML signature bypass vulnerabilities. While SAML libraries are the right way to go, even they get it wrong sometimes too (SimpleSAMLPHP).

Additionally, SP SAML ACS endpoints process IDP SAML Assertion XML and can therefore have XXE vulnerabilities. This would happen before any authentication takes place.

User Impersonation

SAML XML signature validation bypass can lead to impersonation of other app users. To hack it, download a free copy of BurpSuite Community Edition and install the SAML Raider plugin. It's got about 12 different SAML XML signature attacks including stripping signatures, signing assertions with your own self-signed keypair, and various XML Signature Wrapping (XSW) attack arrangements. As you craft the payloads in SAML Raider, try modifying the username in the assertion to impersonate another user. Be patient and try all the attacks - maybe one will get past app signature checks!

Escalation of Privileges

In the event where a signature bypass is successful, you can tamper with SAML assertion contents. Often times, SAML assertions will contain not only the username of the user, but also additional attributes like role or other permissions-related attributes. Try modifying the user role attributes to "admin" for example.

Code Injection

Additionally, if there are no validations on what values are submitted over SAML, consider likely business logic processing or application flow. For example, application logic may be including assertion attributes into the application code. Perhaps a username or first name attribute is included in the front-end on the profile page, potentially resulting in XSS. Or if sent to the in the backend, then SQL or LDAP queries, or template injection could be exploited, etc. This of course depends on the application's languages and technologies in use.

Welcome, Victim<script>alert(1)</script> Lastname!

XXE in SAML ACS Endpoint

Because SAML is XML-based, the application uses an XML parser called an Assertion Consumer Service (ACS) to consume and process SAML Assertions. Anytime XML is being processed, there's an opportunity for XXE injection.

The nice thing here is that the XML processing occurs before any SAML or signature validation, so it can be exploited pre-authentication, meaning we don't need any IDP signatures or valid SAML - just the XXE!

Additional Resources