On Breaking SAML: Be Whoever You Want to Be

1. Juraj Somorovsky1, Andreas Mayer2, Jörg Schwenk1, Marco Kampmann1, andMeiko Jensen1 1Horst-Görtz Institute for IT-Security, Ruhr-University Bochum 2Adolf Würth GmbH & Co. KG On Breaking SAML: Be Whoever You Want to Be

2. Motivation – Single Sign-On • Too many identities / passwords • Solution: Single Sign-On • Advantages: one password for users, no password management for Service Providers Website Visit and redirect User: Bob Role: guest User: Bob Role: guest User: Bob Role: guest Identity Provider Service Provider

3. Motivation – Single Sign-On • OpenID • OAuth • Security Assertion Markup Language (SAML) • OASIS • Web Services or browser-based Single Sign-On • Authentication Statements stored in Assertions

4. Motivation – Single Sign-On • How do we secure the messages? • Does SSL / TLS help? • Messages secured only during transport! Website Visit and redirect User: Bob Role: guest User: Bob Role: guest User: Bob Role: guest Identity Provider Service Provider

5. Motivation – Single Sign-On • Does SSL / TLS help? • Need for message level security! User: Admin Role: Admin User: Admin Role: Admin Website Visit and redirect User: Bob Role: guest User: Bob Role: guest User: Bob Role: guest Identity Provider Service Provider

6. Motivation – Single Sign-On • Message levelsecurity? • Realized using XML Signatures • Are we secure? User: Admin Role: Admin Website Visit and redirect User: Bob Role: guest User: Bob Role: guest User: Bob Role: guest Identity Provider Service Provider

7. Overview Securing SAML with XML Signature XML Signature Wrapping Attacks Practical Evaluation Penetration Test Library Countermeasures Conclusion

8. SAML Assertion Assertion <saml:Assertion ID="123"> <saml:Issuer>www.SecureIdP.com</saml:Issuer> <saml:Subject> <saml:NameID>Bob@SecureIdP.com</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2011-08-08T14:42:00Z" NotOnOrAfter="2011-08-08T14:47:00Z"> <saml:AudienceRestriction> <saml:Audience> www.SecureSP.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> </saml:Assertion> Issuer SecureIdP Subject NameID Bob Conditions Audience SecureSP

9. Securing SAML with XML Signature • Two typical usages Binding Id=”123” Binding Id=”123” Assertion Signature Signature SignedInfo SignedInfo URI=”#123” Reference URI=”#123” Reference DigestValue DigestValue SignatureValue SignatureValue Assertion Subject Subject Bob Bob

10. Securing SAML with XML Signature • Naive (typical) processing: • Signature validation: Id-based • Assertion evaluation: /Binding/Assertion/Subject Id=”123” Id=”123” Binding Binding Signature Signature SignedInfo SignedInfo URI=”#123” URI=”#123” Reference Reference DigestValue DigestValue SignatureValue SignatureValue Assertion Assertion valid SignatureVerification Assertion Evaluation Subject Subject Bob Bob Bob

11. Overview Securing SAML with XML Signature XML Signature Wrapping Attacks Practical Evaluation Penetration Test Library Countermeasures Conclusion

12. XML SignatureWrappingAttack on SAML Id=”evil” Id=”123” • Place the original Assertion including its Binding element into another element • Change the Id of the original element • The Reference now points to the original element: signature is valid • Insert a new Assertion Binding Binding Signature SignedInfo URI=”#123” Reference Id=”123” Binding Assertion Subject Bob Assertion Assertion Subject Subject Admin Bob

13. XML SignatureWrappingAttack on SAML Id=”evil” Id=”123” Binding Binding Signature SignedInfo Id=”evil” Id=”123” Binding Binding URI=”#123” Reference Signature Id=”123” Binding SignedInfo Assertion URI=”#123” Reference Subject Id=”123” Binding Bob Assertion Subject Assertion Assertion Bob Subject Subject Bob Admin Assertion Assertion Subject Subject valid SignatureVerification Assertion Evaluation Bob Admin Admin

14. XML SignatureWrappingAttack on SAML – Threat model • Change arbitrary data in the Assertion: Subject, Timestamp ... • Attacker: everybody who can gain a signed Assertion... • Registering by the Identity Provider • Message eavesdropping • Google Hacking • Single Point of Failure!

15. XML SignatureWrappingAttack on SAML • How about them?

16. Overview Securing SAML with XML Signature XML Signature Wrapping Attacks Practical Evaluation Penetration Test Library Countermeasures Conclusion

17. XML SignatureWrappingAttack on SAML – Results Guanxi, JOSSO WSO2 Id=”123” Id=”evil” Id=”evil” Id=”123” Binding Binding Binding Binding Signature Id=”123” Binding SignedInfo Assertion URI=”#123” Reference Subject Id=”123” Binding Bob Assertion Signature Subject SignedInfo Bob URI=”#123” Reference Assertion Assertion Assertion Assertion Subject Subject Subject Subject Admin Bob Bob Admin

18. XML SignatureWrappingAttack on SAML – Results Higgins, Apache Axis2, IBM XS 40 OpenAM, Salesforce Binding Binding Binding Id=”evil” Assertion Id=”evil” Assertion Subject Subject Admin Admin Signature Assertion Id=”123” SignedInfo Signature URI=”#123” Reference SignedInfo URI=”#123” Reference Assertion Id=”123” Subject Subject Bob Bob

19. Attack on OpenSAML • Is Signature Wrapping always that easy? • OpenSAML implemented a few countermeasures: • Checked if the signed assertion has the same ID value as the processed one • Validated XML Schema • Not possible to insert two elements with the same ID values

20. Attack on OpenSAML OpenSAML C++ • ID values checking: Basic idea – using two identical ID values • XML Schema validation: • Put the Assertion into an extensible element (e.g. <Extensions>) • Two identical ID attributes (XML Xerces Parser bug) • Which element is verified? C++ takes the first found element Binding Extensions Id=”123” Assertion Subject Bob Id=”123” Assertion Assertion Signature SignedInfo URI=”#123” Reference Subject Subject Admin Bob

21. Attack on OpenSAML OpenSAML C++ references thefirstfoundelement OpenSAML Java references thelast foundelement Binding Binding Id=”123” Assertion Assertion Extensions Signature Id=”123” Assertion SignedInfo Subject URI=”#123” Reference Bob Object Id=”123” Assertion Assertion Id=”123” Assertion Signature Subject SignedInfo Bob URI=”#123” Reference Subject Subject Subject Subject Admin Bob Admin Bob

22. BeyondSignatureWrapping: SignatureExclusion • Lame but … • …Worked against: • Apache Axis2 • JOSSO • OpenAthens Binding Id=”123” Assertion Assertion Assertion Subject Subject Subject Bob Admin Bob Signature SignedInfo URI=”#123” Reference

23. SAML SignatureWrapping – Summary Enterprise Applications DanisheGovernment Joomla, Wordpress, SugarCRM, Drupal Shibboleth, SwissID …

24. Overview Securing SAML with XML Signature XML Signature Wrapping Attacks Practical Evaluation Penetration Test Library Countermeasures Conclusion

25. Penetration Test Library • Considered all the attack vectors: • Different permutations of signed / processed Assertions • Id processing • Signature exclusion attacks • XML Schema extensions • Further attacks on Salesforce interface • Will be included in our WS-Attacker framework • http://ws-attacker.sourceforge.net/

26. Overview Securing SAML with XML Signature XML Signature Wrapping Attacks Practical Evaluation Penetration Test Library Countermeasures Conclusion

27. Countermeasures • General problem: different processing modules have different views on documents Valid / Invalid Id=”123” Binding SignatureVerification Assertion Evaluation Signature User SignedInfo URI=”#123” Reference Id-based DigestValue SignatureValue /Binding/Assertion/Subject Assertion Subject Bob

28. Countermeasure 1: StrictFiltering • Forward only signed elements • Also called see-only-what-is-signed Binding Binding Assertion SignatureVerification Assertion Evaluation Assertion Assertion Signature

29. Countermeasure 2: Data Tainting • Signature verification generates a random number r • The verified data is tainted with r • r is forwarded to the Assertion evaluation logic Binding Binding SignatureVerification Assertion Evaluation Assertion Assertion r=”xyz” Assertion Assertion Signature Signature r = xyz r = xyz

30. Overview SAML Assertion Securing SAML with XML Signature XML Signature Wrapping Attacks Practical Evaluation Countermeasures Conclusion

31. Conclusion • We showed critical Signature Wrappings in SAML, 12 out of 14 frameworks affected! • All providers informed • Signature Wrapping known since 2005, but: • Not in focus of research community • Nearly all implementations are vulnerable • Not easy to fix: many permutations, vulnerable libraries • Be aware of Signature Wrapping when applying: • In Web Services • SAML • Beyond XML: Could be applied in all the scenarios where different processing modules have different views on documents

32. Thankyouforyourattention Juraj Somorovsky1, Andreas Mayer2, Jörg Schwenk1, Marco Kampmann1, and Meiko Jensen1 1Horst-Görtz Institute for IT-Security, Ruhr-University Bochum 2Adolf Würth GmbH & Co. KG

33. ResponsibleDisclosure • Apache Axis 2 05.04.2011 ??? • Guanxi 25.07.2011 ??? • Higgins 1.x 24.04.2011 Open • IBM XS40 Oct 2011 ?? • JOSSO 18.02.2011 March 2011 • OIOSAML 25.07.2011 03.08.2011 • OpenAM 03.12.2011 07.12.2011 • OneLogin 03.06.2011 ??? • OpenAthens 29.07.2011 05.08.2011 • OpenSAML 18.07.2011 25.07.2011 • Salesforce 03.06.2011 13.06.2011 • WSO2 16.02.2011 18.07.2011