security protocol_error ai_generated true

SAML XML signature wrapping attack bypasses signature validation

ID: security/saml-xml-signature-wrapping

Also available as: JSON · Markdown · 中文
85%Fix Rate
87%Confidence
1Evidence
2023-11-05First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
SAML 2.0 active
Shibboleth IdP 4.3.0 active
Okta 2024.01.0 active
OpenSAML 4.3.0 active

Root Cause

The SAML response contains multiple assertions, but the XML signature only covers a benign assertion; the attacker inserts a malicious assertion that is not signed but is processed by the application due to lax XML parsing logic.

generic

中文

SAML响应包含多个断言,但XML签名仅覆盖一个良性的断言;攻击者插入一个未签名的恶意断言,由于宽松的XML解析逻辑而被应用程序处理。

Official Documentation

https://wiki.shibboleth.net/confluence/display/OSAML/XML+Signature+Wrapping+Attack

Workarounds

  1. 90% success Enforce that only the first (or a single) assertion in the SAML response is processed, and that it must be the one covered by the signature. Example in Java using OpenSAML: if (response.getAssertions().size() != 1) throw new SecurityException('Multiple assertions not allowed'); 
    Enforce that only the first (or a single) assertion in the SAML response is processed, and that it must be the one covered by the signature. Example in Java using OpenSAML: if (response.getAssertions().size() != 1) throw new SecurityException('Multiple assertions not allowed');
  2. 80% success Use a strict XML schema validation that rejects any unexpected elements or structure changes in the SAML response. 
    Use a strict XML schema validation that rejects any unexpected elements or structure changes in the SAML response.

中文步骤

  1. 强制只处理SAML响应中的第一个(或单个)断言,并且它必须是签名覆盖的那个。Java中使用OpenSAML的示例:if (response.getAssertions().size() != 1) throw new SecurityException('不允许有多个断言');
  2. 使用严格的XML模式验证,拒绝SAML响应中任何意外的元素或结构变化。

Dead Ends

Common approaches that don't work:

  1. Only validating the signature on the first assertion in the response 90% fail

    Attackers can reorder assertions or place the signed assertion anywhere; the application may process a later unsigned assertion.

  2. Using a DOM parser without disabling external entity processing 95% fail

    This doesn't address signature wrapping; the parser still sees all assertions, and signature validation is not enforced on each.