SAML: Comment Injection
Bookmarked!This exercise covers the exploitation of a comment injection vulnerability in SAML
In this exercise, you will learn how to exploit a vulnerability in a SAML implementation that impacts the Service Provider. The course focuses on a common issue with protocols relying on signatures to prevent tampering, specifically when the signed data is parsed differently by the receiving system. You will create a malicious email address to become the user admin@libcurl.so
for the Service Provider. The vulnerability arises because the Service Provider strips XML comments from the email address provided in the SAMLResponse by the Identity Provider (IDP).
To exploit this issue, you will need to register an account on the IDP with an email address that, once comments are stripped, matches admin@libcurl.so
. Then, you will log in via SAML from the Service Provider. This exercise is crucial as it highlights the importance of detecting and fixing such vulnerabilities in SAML implementations, especially with the growing use of Single Sign-On (SSO) in enterprises.