AppSec Tales X | SAML

Application Security Testing of the SAML protocol guidelines.

INTRODUCTION

The article describes the Application Security Testing of the SAML.
The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• NIST recommendations
• Bug bounty reports
• Portswigger Academy
• Own experience.

TOOLING

Constantly update the tools.

BURP SUITE

Upgrade Burp Suite with the following extensions:

• EsPReSSO

Source: https://github.com/portswigger/espresso

• SAML Raider

Source: https://github.com/portswigger/saml-raider

RECON WORDLIST ENDPOINTS

/saml
/saml2
/saml/login
/saml2/login
/saml/auth
/saml2/auth
/saml/init
/saml2/init
/saml/consume
/saml2/consume
/simplesaml/module.php/core/loginuserpass.php
/simplesaml/saml2/idp

RECON WORDLIST PARAMETERS

AuthState
SAMLRequest
authenticity_token
SAMLResponse
RelayState

GUIDELINES

I. UNVERIFIED SIGNATURE

Modify the SAML response.

• The attackers can forge the ID data in the SAML response at will.

Source: Own study — Testing SAML Unverified Signature.

Source: Own study — Example request with a SAML Response Token viewed in the EsPReSSO extension.