SAML: SAMLResponse forwarding

This exercise covers how one can pass the SAMLResponse from one Service Provider to another Service Provider.

< 1 Hr.


In this course, you'll learn how to exploit an insecure SAML implementation to log into a service provider, even when the identity provider attempts to prevent it. The vulnerability exists because the service provider fails to verify the claim in the SAMLResponse, trusting a claim issued for another service provider instead. By tampering with the SAMLRequest from Service Provider #1 and altering the ServiceURL, you can pass a valid claim to Service Provider #2.

The exercise involves decoding and re-encoding the SAMLRequest using URL-decoding, base64 decoding, and Inflate, followed by Deflate, base64 encoding, and URL-encoding. By manipulating the SAMLRequest, you can bypass the identity provider's restrictions and gain unauthorized access to a different service provider. This course highlights the importance of proper validation in SSO implementations to prevent such vulnerabilities from being exploited.

Want to learn more? Get started with PentesterLab Pro! GO PRO