SAML: Trusted Embedded Key

This exercise covers the exploitation of a service provider (SP) that doesn't check the certificate provided in the SAMLResponse

< 1 Hr.


The course delves into the vulnerability in SAML implementations where the Service Provider (SP) does not verify the fingerprint of the certificate in the SAMLResponse. This oversight allows attackers to provide their own certificate with a matching signature, which the application then trusts. The course outlines the steps required to exploit this vulnerability, including registering an account on the Identity Provider (IDP), generating a private key and matching certificate, and forging a SAMLResponse based on the SAMLRequest provided by the SP.

In the video, the instructor explains that SAMLResponses are signed with a private key, and the signature is included in the XML message. Some implementations may trust the embedded certificate within the SAMLResponse and use the associated public key to verify the signature. This flaw allows attackers to generate their own certificate and private key, sign the message, and have the application trust the SAMLResponse. The video further elaborates on the attack steps, such as generating a private key and certificate, tampering with the SAMLResponse to change the username, and resigning the SAMLResponse using the generated private key.

Want to learn more? Get started with PentesterLab Pro! GO PRO