Loading in 2 Seconds...
Loading in 2 Seconds...
SaaS Vulnerabilities Workshop : SaaS as the new attack vector. About us. Cyber security experts from Adallom AdallomLabs is the leading SaaS threats research center. Adallom monitors SaaS traffic from managed and unmanaged devices and detects attacks against company assets in the cloud.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
SaaS Vulnerabilities Workshop : SaaS as the new attack vector
About us • Cyber security experts from Adallom • AdallomLabs is the leading SaaS threats research center • Adallom monitors SaaS traffic from managed and unmanaged devices and detects attacks against company assets in the cloud
Agenda • Intro to the world of SaaS attacks • Training • Background on SAML • Hands on Workshop!! • Summary
SaaS allows access anywhere • Software-As-A-Service • Software and data hosted in the cloud • Allows “access anywhere” • Key stakeholders • SaaS provider • Company (Business unit and IT) • End Users
SaaS is a new attack vector CONFIDENTIAL AND PROPRIETARY • The common link: • Attack occurs outside of company network • Bypasses company controls • Very hard to detect
Anatomy of a SaaS attack • Objectives: • Persistent access to the CRM of the Acme organization • Initial research: • Use Salesforce.com for CRM
If this was on premise .. • Requires sophisticated cyber attack campaign
Anatomy of a SaaS attack • Requires a much simpler attack • Choose attack vector – Users. • Company network not relevant. SaaS provider too hard. • Open Source intelligence – Focus on targets. • Social Networks, Social Engineering,Support forums, etc. • Compromise the user – Phishing, social engineering • Or compromise the device – Exploit home PC, mobile • End Of Game – Stealth. Persistent. Simple. One employee. One mistake. The attacker will eventually win.
Breakdown of SaaS attack vectors SaaS provider responsibility Enterprise responsibility
Exercise Introduction • Attacking a SAAS website • WordPress based • Vulnerability is still exploitable in real websites • SSO & SAML in depth • XSW – XML Signature Wrapping attack
SAML Single Sign On Sam ???
SAML Single Sign On • SSO – use only one password for all SAAS applications • Pros • Reducing password fatigue from different user name and password combinations • Reducing time spent re-entering passwords for the same identity • Reducing IT costs due to lower number of IT help desk calls about passwords • SAML – Security Assertion Markup Language
SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Sam Credentials User:firstname.lastname@example.org Password: S4mP@$$ Token user = sam
SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Sam Credentials User:email@example.com Password: S4mP@$$ SSL SSL SSL Token user = sam
SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Credentials User:firstname.lastname@example.org Password: 1337H4X0R SSL SSL SSL Token user = drevil Token user = sam
SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Credentials User:email@example.com Password: 1337H4X0R SSL SSL SSL Token user = drevil Token user = drevil
SAML Single Sign On SAML Sample
XSW – XML Signature Wrapping • XML Signature • Used to verify that data wasn’t modified during transportation. • May apply to specific XML elements or the whole XML document. • There is no standard for what elements should be signed.
XSW – XML Signature Wrapping • <Envelope> - Root element • <Header> (optional) - Contains information that will be processed by SOAP nodes during transmission. • <Body> - Contains call and response information SOAP – Simple Object Access Protocol Most of web services are using SOAP which is XML based SOAP basic structure:
XSW – XML Signature Wrapping • Sample SOAP message • Receiver side’s logic if isValid(Signature) return fread([“Body”][“GetFileContent”] • Can it be used for malicious purpose?
XSW – XML Signature Wrapping • if isValid(Signature) • return fread(env [“Body”][“GetFileContent”]) Original Message Malicious Message
XSW – XML Signature Wrapping • Causes • No common library for xml signature validation • Using different logic to find signed element and read element’s data NOTE: XSW is generic attack and is NOT specific to SOAP!
Exercise • Main Goal • Original wordpress code + onelogin original plugin • Training Process • Exercise composed of 6 phases • Hints and solutions will be available on wordpressfeed • Tools • Charles or any other web debugging proxy (Burp, Fiddler, mitmproxy, etc..)
Exercise • Phase 0 • Goal: Prepare environment • Resources • http://www.adallombh.com/box • Target Service provider • https://www.adallombh.com • Identity provider • https://app.onelogin.com/login • Password for OneLogin • Password1!
Exercise • Phase 1 • Goal: Extract the SAML token • Hint #1: Use charles for capturing HTTP traffic • Hint #2: Recall the flow of SAML (in your HandOut) • Hint #3: SAML is encoded and thus, will not look like XML • Solution video is available on adallombh.com
Exercise • Phase 2 • Goal: Decode the SAML token • Hint #1: Response is passed by HTTP and thus must be URL encoded • Hint #2: Response is also encoded in Base64 • Solution video is available on adallombh.com
Exercise • Phase 3 (Optional) • Goal: Build and post custom SAML token • Hint #1: White spaces are not allowed in SAML • Hint #2: Use charles “edit” feature for manipulating original request • Solution video is available on adallombh.com Response is validEmail is firstname.lastname@example.org Note: This phase intends to verify that you are able to send your own SAML response. If you feel comfortable with that, you may continue to phase 4.
Exercise • Phase 4 • Goal: Manipulate SAML token for gaining admin access • Targeted user name:email@example.com • Hint #1: Source code may come in handy. It may be found at wordpress plugins site. • Hint #2: Draw diagrams for better understanding of SAML structure • Hint #3: Video is available adallombh.com • Solution video is available on adallombh.com
Exercise • Phase 5 • Goal: Publish a post telling you’re the best hacker • Hint #1: Breakpoints or Cookie Editing may come in handy • Solution video is available on adallombh.com
The exploit php/lib/onelogin/saml/authenticate.php • Authentication process on SP • Validate SAML Signature • Check NameID against wordpress’s user list • Generate authenticated cookie
The exploit php/lib/onelogin/saml/response.php • User name extraction • Find all matches for NameID element • Use the first match as the user name • User name manipulation – DONE!
The exploit Original SAML Malicious SAML
The exploit php/onelogin/saml/xmlsec.php • Steps • Locate signature • Validate reference • Locate key • Verify key How doesn’t it invalidate the signature?
The exploit Locate signature
The exploit Validate Reference
The exploit • There are many other possibilities for getting the same result Original SAML Malicious SAML Id = 1337
Summary • Admin’s password was: • X7r3MelyH@rdP@$$0rd • This specific XSW exploit was first introduced at USENIX 2012 by Juraj Somorovsky • Whatcausedthisvulnerability? • SAML is a complicatedprotocol • No awareness for SAAS vulnerabilities