Hi guys. My IT security guy did a review of our iDP integration with OneLogin. He found it is vulnerable to a xml signature wrapping attack. I'm not sure if I implemented it in a poor fashion or if it is some unavoidable risk when using this component.
This link explains more about the attack in general. (XSW3 was used in my case)
https://blog.ritvn.com/testing/2018/02/16/burp-suite-saml-signature-wrapping-attack.html
Has anyone dealt with this before? Any suggestions on how I can prevent it? I see the SAML_Process is validating the response and checking for a valid signature. Apparently thats not good enough? I don't understand the whole process very well so if I need to provide more details , please ask.
Mark Jurkovich wrote:
Some extra info. Im on OS 10. I updated to iDP 3.5.5
I have read your article, it is very informative and helpful for me. I admire the valuable information you offer in your articles. Thanks for posting it...!
run 3
I believe this is an actual security vulnerability. In order to thwart it I ended up customizing the Idp screen preparation. I added in a crude check to to validate the xml structure of the saml response. I think the component should be updated with something to prevent xml signature wrapping attacks.