[IdP] xml signature wrapping attack

Forge Component
(37)
Published on 4 Aug by Telmo Martins
37 votes
Published on 4 Aug by Telmo Martins

Hi guys. My IT security guy did a review of our iDP integration with OneLogin. He found it is vulnerable to a xml signature wrapping attack. I'm not sure if I implemented it in a poor fashion or if it is some unavoidable risk when using this component. 


This link explains more about the attack in general. (XSW3 was used in my case)

https://blog.ritvn.com/testing/2018/02/16/burp-suite-saml-signature-wrapping-attack.html


Has anyone dealt with this before? Any suggestions on how I can prevent it? I see the SAML_Process is validating the response and checking for a valid signature. Apparently thats not good enough? I don't understand the whole process very well so if I need to provide more details , please ask.

Mark Jurkovich wrote:

Hi guys. My IT security guy did a review of our iDP integration with OneLogin. He found it is vulnerable to a xml signature wrapping attack. I'm not sure if I implemented it in a poor fashion or if it is some unavoidable risk when using this component. 


This link explains more about the attack in general. (XSW3 was used in my case)

https://blog.ritvn.com/testing/2018/02/16/burp-suite-saml-signature-wrapping-attack.html


Has anyone dealt with this before? Any suggestions on how I can prevent it? I see the SAML_Process is validating the response and checking for a valid signature. Apparently thats not good enough? I don't understand the whole process very well so if I need to provide more details , please ask.


Some extra info. Im on OS 10. I updated to iDP 3.5.5

I believe this is an actual security vulnerability. In order to thwart it I ended up customizing the Idp screen preparation. I added in a crude check to to validate the xml structure of the saml response. I think the component should be updated with something to prevent xml signature wrapping attacks.