Compass Security Blog

Offensive Defense

SAML Burp Extension

SAML [3] is a standard, which is widely used to deploy Single Sign-On and federation identity solutions. SAML is based on the XML technology, using XML Signatures and X.509 certificates.

Manual testing for SAML vulnerabilities is time consuming and error prone. For example, because a SAML message is only valid for a predefined period of time, the penetration tester potentially needs to be able to manipulate SAML messages within a short time. This is a factor which increases the chance of errors.

Therefore students of the University of Applied Sciences Rapperswil, Switzerland [6] developed an extension [2] for the Burp Suite [1] in collaboration with Compass Security. This extension automates most of the steps, which are necessary to test a SAML environment.
The extension, called “SAML Raider”, supports the penetration tester with the following tasks:

  • “Clone” a certificate, i.e. all fields are copied but a random new key-pair is generated.
  • Edit certificates and sign them with the arbitrary generated key-pair or with valid keys
  • Encode and decode SAML messages
  • Display SAML messages with syntax highlighting
  • Edit SAML messages manually
  • (Re-)sign SAML messages and assertions
  • Remove signatures
  • Perform XML Signature Wrapping (XSW) attacks

The extension intercepts the POST message with the SAML Assertion, which is received from the Identity Provider (IdP) and is sent from the browser to the Service Provider (SP). The point of manipulation is illustrated in the following flow graph with the red field “Manipulate”.

Point of manipulation in the data-flow.

Point of manipulation in the data-flow.

The following example case illustrates a possible attack, which could be executed with “SAML Raider”. At Hacking-Lab [7] subscribers and license holders can test this vulnerability riskless in a secured environment.

  1. An attacker can log in as an ordinary user to an Identity Provider and intercepts the SAML assertion before it is sent to the Service Provider.
    saml_burp_extension_6
  2. The attacker now extracts the embedded x509 certificate and clones it.
    saml_burp_extension_4
    saml_burp_extension_5
  3. The attacker changes the user group which is included in the SAML Assertion to administrators.
  4. The attacker signs the assertion with the cloned certificate and embeds the cloned certificate in the assertion.
    saml_burp_extension_2
  5. The attacker sends the manipulated SAML message to the Service Provider.
  6. The Service Provider wrongly acknowledges the embedded cloned certificate as valid and validates the signature with the wrong certificate.
  7. The attacker is now logged in as an administrator.

SAML Raider supports the penetration tester in testing SAML Environments with Burp.

There is another Burp extension [4] of the Ruhr University Bochum, which displays Single Sign-On messages and allows to manually edit SAML messages.
At Black Hat 2015 a tool called “samlyze” is announced. Its goal is to pentest SAML service providers fast and easy [5]. We are looking forward and really hope samlyze supplements this extension with one or the other feature.

References:

[1] http://portswigger.net/
[2] https://github.com/SAMLRaider/SAMLRaider
[3] https://www.oasis-open.org/standards#samlv2.0
[4] https://github.com/RUB-NDS/BurpSSOExtension
[5] https://www.blackhat.com/us-15/arsenal.html#samlyze
[6] http://www.hsr.ch/
[7] https://www.hacking-lab.com/

10 Comments

  1. Marc Ruef

    Great work, thanks for sharing!

    • Roland Bischofberger

      Thank you. We would be glad to receive any feedback or ideas for improvement.
      The first security advisory, resulting out of this work will follow.

  2. Roland Bischofberger

    There is a new version of the SAML Burp extension which contains:
    – a new feature to support SAML assertions in WS-Security
    – a security bug fix which solved a local XXE vulnerability
    – a bug fix of the XML serializer removing namespaces and newlines

    Check out the new release at:
    https://github.com/SAMLRaider/SAMLRaider/releases

  3. Suresh

    Hi ,

    Excellent article!!

    have quick question with respect to the Certificate and its cloning, an you please elaborate on this a little more .

    Thanks and Best Regards,
    Suresh

    • Roland Bischofberger

      Hi Suresh,

      Thanks, We are glad to hear that.

      What happens in the cloning process is that SAML Raider copies the properties of the original certificate to a new certificate. For this new certificate a new public / private key pair is generated and finally the certificate gets self signed by SAML Raider.

      Therefore the only things that change on this certificate are the public key, the signature and in some instances also the ordering of the certificate’s extensions.

      You can compare the two following files, which I uploaded to github to give you an idea of the result of the cloning process.
      First the original certificate and afterwards the “cloned” one.

      Original:
      https://github.com/SAMLRaider/SAMLRaider/blob/master/doc/original.cert

      Cloned:
      https://github.com/SAMLRaider/SAMLRaider/blob/master/doc/cloned.cert

  4. Carl

    Hey there.

    First of all, thank you for this great addon :)

    I’m wondering if there’s a way to edit SAML Requests with your addon. The SAML Raider tab under Proxy –> Intercept seems to only activate on Responses. For example, when I send an Authentication Request to the IdP there’s no SAML Raider tab yet. It only materializes itself when the Authentication Response from the Idp is send.
    Is there a way to still edit the Request?

    Regards
    Carl

    • Roland Bischofberger

      Hi Carl,

      Thank you :)
      It is planned to implement this feature in the future. I created an Issue on Github where you could subscribe to get notified of any news.
      https://github.com/SAMLRaider/SAMLRaider/issues/11

      Cheers
      Roland

  5. Anuja

    Hi Roland Bischofberger,

    I would like to know how the SAML is resigned with original Private Key after modifying the SAML response. Because even if I import Private Key i couldn’t see it in the drop down list of XML Signature(Message Editor).

  6. Anuja

    Hi Roland Bischofberger,

    I would like to know how the edited SAML response is resigned with IdP’s private key. I have imported the Private Key but not able to view the imported Private Key in XML Signature (Message editor).

    • Emanuel Duss

      Hi Anuja

      First you have to import a certificate and then import the private key which belongs to this certificate. If this is successful, the “Private Key” checkbox in the Certificate tab is set to true. Only certificates with a private keys are listed in the dropdown for signing the SAML Message.

      If you have any problems, don’t hesitate to provide some details and create a new issue on GitHub [1] so we can solve the problem.

      Best regards,
      Emanuel

      [1] https://github.com/SAMLRaider/SAMLRaider/issues

Leave a Reply to Anuja Cancel reply

Your email address will not be published. Required fields are marked *