|
|
| Line 1: |
Line 1: |
| =Attack description= | | ==Part of main category:== |
| Every [https://en.wikipedia.org/wiki/Single_sign-on SSO] protocol provides freshness parameters ''N'' to limit the reuse and lifetime of the authentication tokens. Taking into account that the reuse of tokens is optional, the validation of the attributes providing freshness is not considered as critical. On the other hand, the time restriction regarding the usage of authentication tokens is more critical and should be evaluated. Otherwise, tokens issued once might be valid for an extended time period or even an infinite amount of time.
| | *[[:Category:Attack_Categorisation_By_Attacked_Web_Service_Component]] |
| | | [[Category:Attack_Categorisation_By_Attacked_Web_Service_Component]] |
| The attack specifically targets the SSO Verificator. This component should validate attributes providing the corresponding restrictions, i.e., the freshness parameter ''N''. In the SAML context relevant to this study, this parameter is represented by ''NotOnOrAfter'' and ''NotBefore''. Failing to
| | <br> |
| properly verify these parameters will enable this attack type. Another possibility to enable this attack type would be via additional freshness attributes, which are not part of the digital signature ''s''.
| |
| | |
| =Attack subtypes=
| |
| There are no attack subtypes for this attack.
| |
| | |
| =Prerequisites for attack=
| |
| The attacker needs access to a valid token. More specifically, the token in question is required to be valid for the SaaS-CP at any time in the past. This can be achieved if the attacker had legitimate access (for a limited period of time) to the ''Software-as-a-Service Cloud Provider (SaaS-CP)'' via SSO and used this access to generate and store a token for himself. Alternatively, searching for published tokens in forums or in technical documentations could also provide valid, though most possibly outdated, tokens.
| |
| | |
| | |
| =Graphical representation of attack=
| |
| SAML token with expired timestamps is sent to the ''SaaS-CP''.
| |
| | |
| [[File:Replay_Attack.jpg]]
| |
| | |
| =Attack example=
| |
| The attacker sends an expired authentication token to the target ''SaaS-CP''. In case, that the unlimited reuse of authentication tokens is applicable and the token is successfully verified, the attack is classified as successful.
| |
| The attack’s impact is average since the attacker has limited attack surface – he can only spend authentication tokens he possesses. However, the potential impact drastically rises in case the attacker gains hold of an authentication token granting him extended access rights (e.g., as an administrator of the system).
| |
| | |
| =Attack mitigation / countermeasures=
| |
| | |
| | |
| =Practical Attack Examples= | |
| In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack: Clarizen, Instructure, AppDynamics, TimeOffManager, LiveHive and CA Service Management.
| |
| | |
| [[Category:Attack_Categorisation_By_Attacker_Model:_Access_to_Valid_Token]]
| |
| [[Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control]] | |
| [[Category:Attack_Categorisation_By_Attack_on_IdP/_SP:_Attack_on_SP]]
| |
| [[Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Web_Service_Client]] | |
| [[Category:Attack_Categorisation_By_Attack_Spreading:Application_Specific_Flaws]]
| |
| [[Category:Attack_Categorisation_By_Attack_on_SAML]]
| |
| | |
| =References=
| |
| C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
| |