SAML: Signature Wrapping III
This exercise covers the exploitation of a Signature Wrapping Issue in passport-saml (CVE-2022-39299)
The course provides a comprehensive exploration of SAML Wrapping attacks, which exploit the discrepancy between how the Service Provider verifies the signature and retrieves information from the SAMLResponse. It begins with an introduction to the vulnerability in the JavaScript library passport-saml and highlights the specific issue with the underlying XML library that permits multiple root elements in the XML message.
Participants will learn to create a malicious XML message with a signed document that does not contain an assertion, and a second malicious assertion with the desired NameID. The course details how to tamper with the SAMLRequest to generate a signed error, concatenate it with a malicious assertion, and ultimately exploit the vulnerability to become another user. The significance of this vulnerability in the context of increasing enterprise reliance on SSO is emphasized, underscoring the importance of detecting and fixing such issues before exploitation.