Signature Exclusion Attack

From Single Sign-On Attacks
Revision as of 20:06, 19 November 2015 by Anna (talk | contribs) (Created page with "=Attack description= The integrity of all authentication tokens should be protected. In case of Security Assertion Markup Language (SAML), this is realized by a digital signat...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Attack description

The integrity of all authentication tokens should be protected. In case of Security Assertion Markup Language (SAML), this is realized by a digital signature s = SIGIdP(t). Signature Exclusion (0Sig) exploits a vulnerability in the verification logic allowing the usage of unsigned tokens. If SAML token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities (I) of other users.

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

  1. Attacker knows endpoint of web service. otherwise, he is not able to reach the web service.
  2. Attacker knows that the web service processes the security header and the "signature" element. If the web service does not "expect" an signed part, it just discards the signature and the attack does not work.

Graphical representation of attack