Signature Exclusion Attack: Difference between revisions

From Single Sign-On Attacks
Jump to navigation Jump to search
No edit summary
 
(44 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=Attack description=
=Introduction=
The integrity of all authentication tokens should be protected. In case of '''Security Assertion Markup Language (SAML)''', this is realized by a digital signature ''s = SIGIdP(t)''. Signature Exclusion (0Sig) exploits a vulnerability in the verification logic allowing the usage of unsigned tokens. If SAML token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities ''(I)'' of other users.
The integrity of all authentication tokens should be protected. In case of [http://www.sso-attacks.org/SAML ''SAML''], this is realized by a digital signature ''s = SIG_IdP(t)''. ''Signature Exclusion'' (0Sig) exploits a vulnerability in the verification logic allowing the usage of unsigned tokens. If SAML token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities ''(I)'' of other users.
 
 


=Attack subtypes=
=Attack subtypes=
There are no attack subtypes for this attack.
There are no attack subtypes for this attack.


 
=Prerequisites=
 
=Prerequisites for attack=
In order for this attack to work the attacker has to have knowledge about the following things:
In order for this attack to work the attacker has to have knowledge about the following things:
#'''Attacker knows endpoint of web service.''' otherwise, he is not able to reach the web service.  
#'''Attacker knows endpoint of the web service.''' otherwise, he is not able to reach the web service.  
#'''Attacker knows that the web service processes the security header and the ''"signature"'' element.''' If the web service does not ''"expect"'' an signed part, it just discards the signature and the attack does not work.
#'''Attacker knows that the web service processes the security header and the ''"signature"'' element.''' If the web service does not '''"expect"''' an signed part, it just discards the signature and the attack does not work.


=Target=
[[File:Target_Verificator.jpg|centre|600px]]
<br> The attacked Single Sign-On component is marked in red colour.


The attack is targeted at the ''Single Sign-On (SSO)'' Verificator, which should require that the authentication token is signed and verify the applied signature. By this means, the integrity of the authentication token is guaranteed.


=Graphical representation of attack=
=Description=


[[File:Signature_Exclusion_Attack.svg]]
[[File:Signature_Exclusion_Attack.jpg|center]]
The attacker creates authentication tokens containing statements about other users ''t = (..., I_Alice/I_Bob/I_Admin,...)''. He then sends the token to an ''Software-as-a-Service Cloud Provider (SaaS-CP)'' (Starget) and is logged in with the corresponding identity. Finally, the attacker gains access to arbitrary accounts and their resources.


=Mitigation / Countermeasures=
SAML messages without signature must not be accepted.


=Attack example=
=Practical Examples=
The attacker creates authentication tokens containing statements about other users, ''t = (..., IAlice/IBob/IAdmin...)''. He then sends the token to an '''Software-as-a-Service Cloud Provider (SaaS-CP)''' (Starget) and is logged in with the corresponding identity. Finally, the attacker gains access to arbitrary accounts and their resources. The attack is targeted at the '''Single Sign-On (SSO)''' Verificator, which should require that the authentication token is signed and verify the applied signature. By this means, the integrity of the authentication token is guaranteed.
In 2012, Somorovsky et al. applied the Signature Exclusion attack on three SAML frameworks: Apache Axis2, JOSSO and OpenAthens.  
 
 
 
=Attack mitigation / countermeasures=
SAML messages without signature must not be accepted.


In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out that one framework was vulnerable to this attack: Clarizen.




=Attack categorisation=
[[Category:Attack_Categorisation_By_Attacker_Model:_Message_generation_attacks]]
==Categorisation by violated security objective==
The attack allows an attacker to generate assertions for arbitrary identities and gain access to resources linked to this identity. Hence, it violates the security objective of access control.
[[Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control]]
[[Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control]]
[[Category:Attack_Categorisation_By_Violated_Security_Objective]]
[[Category:Attack_Categorisation_By_Attack_on_IdP/_SP:_Attack_on_SP]]
*[[:Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control]]
[[Category:Attack_Categorisation_By_Attacked_Single_Sign-On_Component:_Verificator]]
*[[:Category:Attack_Categorisation_By_Violated_Security_Objective]]
 
==Categorisation by number of involved parties==
[[Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1]]
[[Category:Attack_Categorisation_By_Number_Of_Involved_Parties]]
 
*[[:Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1]]
*[[:Category:Attack_Categorisation_By_Number_Of_Involved_Parties]]
 
==Categorisation by attacked component in web service architecture==
[[Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification]]
[[Category:Attack_Categorisation_By_Attacked_Web_Service_Component]]
 
*[[:Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification]]
*[[:Category:Attack_Categorisation_By_Attacked_Web_Service_Component]]
 
==Categorisation by attack spreading==
[[Category:Attack_Categorisation_By_Attack_Spreading]]
[[Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws]]
[[Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws]]
 
[[Category:Attack_Categorisation_By_Attack_on_SAML]]
*[[:Category:Attack_Categorisation_By_Attack_Spreading]]
*[[:Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws]]
 
 


=References=
=References=
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
[https://www.nds.rub.de/research/publications/BreakingSAML/ J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, M. Jensen: On Breaking SAML: Be Whoever You Want to Be. In Pro­cee­dings of the 21st USE­NIX Se­cu­ri­ty Sym­po­si­um, 2012.]

Latest revision as of 19:06, 26 January 2016

Introduction

The integrity of all authentication tokens should be protected. In case of SAML, this is realized by a digital signature s = SIG_IdP(t). Signature Exclusion (0Sig) exploits a vulnerability in the verification logic allowing the usage of unsigned tokens. If SAML token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities (I) of other users.

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites

In order for this attack to work the attacker has to have knowledge about the following things:

  1. Attacker knows endpoint of the web service. otherwise, he is not able to reach the web service.
  2. Attacker knows that the web service processes the security header and the "signature" element. If the web service does not "expect" an signed part, it just discards the signature and the attack does not work.

Target


The attacked Single Sign-On component is marked in red colour.

The attack is targeted at the Single Sign-On (SSO) Verificator, which should require that the authentication token is signed and verify the applied signature. By this means, the integrity of the authentication token is guaranteed.

Description

The attacker creates authentication tokens containing statements about other users t = (..., I_Alice/I_Bob/I_Admin,...). He then sends the token to an Software-as-a-Service Cloud Provider (SaaS-CP) (Starget) and is logged in with the corresponding identity. Finally, the attacker gains access to arbitrary accounts and their resources.

Mitigation / Countermeasures

SAML messages without signature must not be accepted.

Practical Examples

In 2012, Somorovsky et al. applied the Signature Exclusion attack on three SAML frameworks: Apache Axis2, JOSSO and OpenAthens.

In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out that one framework was vulnerable to this attack: Clarizen.

References

C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).

J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, M. Jensen: On Breaking SAML: Be Whoever You Want to Be. In Pro­cee­dings of the 21st USE­NIX Se­cu­ri­ty Sym­po­si­um, 2012.