Single Sign-On (SSO) procedures are one of the most important Internet technologies and are used by many applications. They allow to design the registration and login process as easy as possible for users and enable applications to be connected to social networks. The use of SAML-based SSO procedures is widespread. However, SSO procedures have become the target of serious attacks due to implementation flaws and flaws in the underlying standards in recent years. These attacks exploit the complexity of the underlying standards and enable attackers to authenticate themselves as arbitrary users or to access confidential user data. In this way, the data can be read, manipulated or deleted.
In this training, Single Sign-On technologies and the underlying concept will be introduced and explained in depth. The focus of this training is on the SAML-based Single Sign-On procedure. With the help of different examples, numerous attack techniques will be presented. For a better understanding, the eXtensible Markup Language (XML), SAML's core technology, will be introduced and problems in XML processing will be discussed. Participants will have the opportunity to execute various attacks themselves, in order to get a better feeling for the related complexity. The attacks are carried out manually (e.g. with SoapUI) as well as automatically with our penetration test tool EsPReSSO in a virtual machine prepared by us. The virtual machine is usable offline and can be used for further internal education of the participants after the training.
Due to the crucial role that single sign-on procedures fulfill in an application, it is essential to understand and address the problems of these technologies in detail. The training will address the following questions, among others:
- How do I use an XML parser correctly?
- Which types of XML signatures are available for different use cases?
- How do I validate a SAML message securely?
- How can I protect my service or identity provider from well-known attacks?
It is possible to extend this training to 3 days by combining it with the OAuth & OpenID Connect training if desired.
Possible Training Contents:
- XML and SOAP-based Web Services
- XML Parsing (DOM vs. SAX)
- XML Schema
- Document Type Definition
- XML (External) Entity Attacks
- XML-specific Denial-of-Service Attacks
- Extensible Stylesheet Language (XSLT)
- XML Signature
- ID- and XPath-based XML Signatures
- SAML-based Single Sign-On
- Attacks on SAML Service Provider
- Replay Attacks
- Signature Exclusion
- XML Signature Wrapping (XSW)
- Certificate Faking and Injection Attacks
- Covert Redirect Attacks
- Attacks on SAML Identity Provider
- SAML Secure Bindings
- Apply the knowledge you have acquired to your own applications
Requirements: This training is designed for two groups: For developers who practically use XML and SAML-based Single Sign-On procedures. Further on, penetration testers and security researchers who want to learn how to evaluate the security of SAML-based Single Sign-On procedures are addressed.