The integrity of all authentication tokens should be protected. In case of Security Assertion Markup Language (SAML), this is realized by a digital
signature s = SIGIdP(t). Signature Exclusion (0Sig) exploits a vulnerability in the verification logic allowing the usage of unsigned tokens. If SAML token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities (I) of other users.
=Attack subtypes=
=Attack subtypes=
Line 9:
Line 5:
=Prerequisites=
=Prerequisites for attack=
=Target=
In order for this attack to work the attacker has to have knowledge about the following things:
#'''Attacker knows endpoint of web service.''' otherwise, he is not able to reach the web service.
The attacked Single Sign-On component is marked in red colour. <br>
#'''Attacker knows that the web service processes the security header and the "signature" element.''' If the web service does not "expect" an signed part, it just discards the signature and the attack does not work.
=Graphical representation of attack=
[[Image:Signature_Exclusion_Attack.svg]]
=Attack example=
The attacker creates authentication tokens containing statements about other users, t = (..., IAlice/IBob/IAdmin...). He then sends the token to an Software-as-a-Service Cloud Provider (SaaS-CP) (Starget) and is logged in with the corresponding identity. Finally, the attacker gains access to arbitrary accounts and their resources. The attack is targeted at the Single Sign-On (SSO) Verificator, which should require that the authentication
token is signed and verify the applied signature. By this means, the integrity of the authentication token is guaranteed.
=Attack mitigation / countermeasures=
SAML messages without signature must not be accepted.
=Attack categorisation=
==Categorisation by violated security objective==
The attack allows an attacker to generate assertions for arbitrary identities and gain access to resources linked to this identity. Hence, it violates the security objective of access control.
Session Management schould include a protection against CSRF to mitigate the attack.
=Practical Examples=
In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack:
SAManage, Shiftplanning, BambooHR, IdeaScale, Howlr and CA Service Management.
=References=
=References=
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
The attacked Single Sign-On component is marked in red colour.
The attack uses the CSRF technique to enforce the victim to change changing configuration data without explicit user interaction.
Description
Mitigation / Countermeasures
Session Management schould include a protection against CSRF to mitigate the attack.
Practical Examples
In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack:
SAManage, Shiftplanning, BambooHR, IdeaScale, Howlr and CA Service Management.
References
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
