SAML: Comment Injection II

This exercise covers the exploitation of a comment injection vulnerability in SAML

< 1 Hr.


In this lab, you'll learn how to exploit a vulnerability in a SAML implementation that impacts the Service Provider. The core of the issue lies in the different handling of XML comments by the system verifying the signature and the system retrieving the NameID. By creating a specific email address and tampering with the SAMLResponse, you can manipulate the Service Provider to log you in as a different user. This method leverages the fact that the Service Provider will strip XML comments and everything after them, allowing you to bypass security measures without invalidating the signature.

The lab walks you through the process of registering an account on the IDP that will transform into the target email address once comments are stripped. You'll use tools like Burp Suite and the SAML Raider extension to intercept and modify the SAMLResponse. This practical exercise underscores the importance of rigorous security checks in SSO implementations, showing how minor oversights can lead to significant vulnerabilities.

Want to learn more? Get started with PentesterLab Pro! GO PRO