Course

This course dives into the exploitation of an insecure SAML implementation where the Identity Provider (IDP) uses a default secret key provided by the library rather than generating a dedicated key. This vulnerability allows attackers to create valid SAMLResponses that are trusted by the Service Provider (SP). The course guides you through registering an account on the IDP, identifying the library used, recovering the key from the library, and forging a SAMLResponse based on the SAMLRequest from the SP.

The accompanying video provides a detailed walkthrough of the challenge, explaining how SAMLResponses are signed with a private key and matched with an X509 certificate. It highlights the dangers of using default keys and certificates in production environments. The video outlines methods to find the key, such as fingerprinting the language and framework or computing the certificate's fingerprint using OpenSSL. Once the key is obtained, the video demonstrates how to intercept, tamper with, and re-sign the SAMLResponse to gain unauthorized access as another user.