OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FYI: "On Breaking SAML..." (21st USENIX Security Symposium 2012)

Possibly of interest to members of SSTC, in case it has not been
referenced on the TC list; note that bloggers say the problems
reported are not "new", per references:

Published in the Proceedings of the 21st USENIX
Security Symposium 2012, pages 397ff [1]

Paper presented at 21st USENIX Security Symposium
August 8-10, 2012 (August 10th Web Security Track)

"On Breaking SAML: Be Whoever You Want to Be"
16 pages.  Other references below [2]

Juraj Somorovsky (Horst Goertz Institute for IT-Security, Ruhr-University Bochum, Germany)
Andreas Mayer (Adolf Wuerth GmbH & Co. KG, Kuenzelsau-Gaisbach, Germany)
Joerg Schwenk (Horst Goertz Institute for IT-Security, Ruhr-University Bochum, Germany)
Marco Kampmann (Horst Goertz Institute for IT-Security, Ruhr-University Bochum, Germany)
Meiko Jensen (Horst Goertz Institute for IT-Security, Ruhr-University Bochum, Germany)

Abstract:  "The Security Assertion Markup Language (SAML) is a
widely adopted language for making security statements
about subjects. It is a critical component for the development
of federated identity deployments and Single Sign-On scenarios.
In order to protect integrity and authenticity
of the exchanged SAML assertions, the XML Signature
standard is applied. However, the signature verification
algorithm is much more complex than in traditional
signature formats like PKCS#7. The integrity protection
can thus be successfully circumvented by application of
different XML Signature specific attacks, under a weak
adversarial model.

In this paper we describe an in-depth analysis of 14
major SAML frameworks and show that 11 of them,
including Salesforce, Shibboleth, and IBM XS40, have
critical XML Signature wrapping (XSW) vulnerabilities.
Based on our analysis, we developed an automated penetration
testing tool for XSW in SAML frameworks. Its
feasibility was proven by additional discovery of a new
XSW variant. We propose the first framework to analyze
such attacks, which is based on the information
flow between two components of the Relying Party. Surprisingly,
this analysis also yields efficient and practical


[2] See also:

  "This isn't news, but the formal publication of the wrapping attack
    that was dealt with in Shibboleth and other software in July of
    last year.[1] Publication cycles for papers in this area can be
    pretty extended, but these particular researchers have been in
    touch with various people involved with implementations for
    some time."

Robin Cover
OASIS, Director of Information Services
Editor, Cover Pages and XML Daily Newslink
Email: robin@oasis-open.org
Staff bio: http://www.oasis-open.org/people/staff/robin-cover
Cover Pages: http://xml.coverpages.org/
Newsletter: http://xml.coverpages.org/newsletterArchive.html
Tel: +1 972-296-1783

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]