Another important takeaway is that SAML, at the end of the day, is simply XML data and therefore you must include XML specific risks like XXE, Entity Expansion Attacks and even potential injection flaws when doing a threat model.
Unfortunately we see this issue quite a bit at GDS, not only within SAML but any application which handles XML data from untrusted sources.
We have notified the Open SAML team about the vulnerable sample code and the XXE flaw within the Basic Parser Pool XML parsing logic that is accompanied with the Open SAML library.
# # See the opendirectoryd(8) man page for additional information about # Open Directory.
## nobody:*:-2:-2: Unprivileged User:/var/empty:/usr/bin/false root:*:0:0: System Administrator:/var/root:/bin/sh daemon:*:1:1: System Services:/var/root:/usr/bin/false The fact that the Open SAML library allows a developer to handle the XML parsing of the SAML XML data before it is passed to the “Unmarshaller” object is a bad design decision, and as you can see here it can result in the potential for many custom SSO or other SAML based solutions to be susceptible to XXE.
In order to accept and process SAML responses from our customers, we essentially need to parse an XML request from the user agent (sent by the identity provider) and validate the SAML contents.
The following documentation and sample code is published on the Open SAML website, and shows how to convert XML retrieved from the authentication response to an expected SAML object.The test code exploits the fact that external entity calls are allowed and will load the “/etc/passwd” file from the server and return its content to the malicious user. Code: try catch(Exception e) Output: Winning:## # User Database # Note that this file is consulted directly only when the system is running # in single-user mode.At other times this information is provided by # Open Directory.I have verified the SAML response with other tools, so I know it is valid (excluding timing issues, not a factor to the digital signature). Below is the code I have used that I believe should be able to do this validation as well as the signature I am trying to validate. Given that, it’s no surprise that support for SAML-based Single Sign-on was one of the earliest requested features that our enterprise customers asked for.