Vulnarex | Elite Cybersecurity Learning Platform

#Breaking the Trust in XML#link

Because SAML is based on XML, it inherits all the vulnerabilities of XML parsing. The most dangerous of these is XML Signature Wrapping (XSW), which allows an attacker to manipulate the identity of the user without breaking the cryptographic signature.

XML Signature Wrapping (XSW)

XSW exploits the difference between how the *Signature Verifier* and the *Business Logic* see the XML. The verifier checks the signature of a legitimate block, but the application logic reads a different, malicious block.

callout

The attacker 'wraps' the original signed assertion inside a new XML structure and adds a second, unsigned assertion with the 'admin' user identity.

xml

<samlp:Response>
  <!-- The Verifier sees this signed block and says 'OK' -->
  <saml:Assertion ID="_original_signed_id">
    <saml:Subject>User: Guest</saml:Subject>
    <ds:Signature>...</ds:Signature>
  </saml:Assertion>

  <!-- The Application Logic reads this block and grants Admin access -->
  <saml:Assertion ID="_fake_id">
    <saml:Subject>User: Administrator</saml:Subject>
  </saml:Assertion>
</samlp:Response>

If the SP's code does `getElementsByTagName('Assertion')[1]` instead of following the signed reference, it will process the malicious admin assertion while believing the signature is valid.

XML External Entity (XXE) Attacks

STRICT SECURE AUDIT RULE

If the SAML parser allows external entities, an attacker can send a crafted assertion that forces the server to read local files or perform SSRF (Server-Side Request Forgery).

Testing for XXE in a SAML Endpoint

root@vulnarex:~#curl -X POST -d "SAMLResponse=...<!ENTITY xxe SYSTEM 'file:///etc/passwd'>..." https://sp.example.com/acs

The terminal output shows a successful XXE attack. The parser attempted to resolve the external entity, leaking the system's password file into the HTTP response.

Attack	Vulnerability	Impact	Mitigation
XSW	Logic/Verifier Mismatch	Full Account Takeover	Strict XPath validation
XXE	Unsafe XML Parsing	File Leakage / SSRF	Disable DTDs/External Entities
Replay	Missing Timestamp Check	Session Hijacking	Enforce NotOnOrAfter / One-time use
SAML-CSRF	No State/Request ID	Login CSRF	Enforce SP-Initiated only

Defense and Hardening

Defending SAML requires a 'secure-by-default' XML parser. You must disable DTDs, use a strict schema for validation, and ensure the logic that reads the attributes is the *same* logic that verifies the signature.

▪Disable all external entity resolution (XXE)
▪Use a library that prevents XSW by validating the signed element's ID
▪Check the 'InResponseTo' attribute to ensure the response matches a request
▪Verify the Assertion and Response are both signed

STRICT SECURE AUDIT RULE

Never trust a SAML assertion based on its presence alone. Always validate the signature and the timestamp before extracting any attributes.

quiz BLOCK (★ 50 XP)

In an XML Signature Wrapping (XSW) attack, what is the primary goal of the attacker?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

The XXE Hunt