XSLT Attack and Replay Attack: Difference between pages

From Single Sign-On Attacks
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
=Attack description=
=Attack description=
[https://en.wikipedia.org/wiki/XSLT ''Extensible Stylesheet Language Transformation (XSLT)''] is a language for transforming XML documents into other documents, for example, XML, HTML, JSON or even PDF. The XML Signature standard allows the usage of ''XSLT'' by definition, and thus, ''XSLT'' can be used in [http://www.sso-attacks.org/index.php?title=SAML SAML]. ''XSLT'' is a Turing complete language. By this means, it is possible to use XSLT, for example, to read/write files on the local filesystem and send them over the Internet. Furthermore, the ''XSLT'' transformation will be executed before the digital signature is verified. Thus, an attacker can send a ''SAML'' token including a digital signature containing the ''XSLT Attack (XSLTA)'' vector, but it is not required that the signature is valid.  
Every [https://en.wikipedia.org/wiki/Single_sign-on SSO] protocol provides freshness parameters ''N'' to limit the reuse and lifetime of the authentication tokens. Taking into account that the reuse of tokens is optional, the validation of the attributes providing freshness is not considered as critical. On the other hand, the time restriction regarding the usage of authentication tokens is more critical and should be evaluated. Otherwise, tokens issued once might be valid for an extended time period or even an infinite amount of time.


XSLTA allows accessing files within the context of the used web server.
The attack specifically targets the SSO Verificator.


=Attack subtypes=
=Attack subtypes=
There are no attack subtypes for this attack.
There are no attack subtypes for this attack.


=Prerequisites for attack=
=Prerequisites for attack=
In order to start XSLT, the attacker has to create a valid XML message containing a [https://en.wikipedia.org/wiki/Document_type_definition DTD]. Note, that the message has to be a SAML token. However, this token does not have to be signed with a valid key nor does the signature needs to be valid.
The attacker needs access to a valid token. More specifically, the token in question is required to be valid for the ''Software-as-a-Service Cloud Provider (SaaS-CP)'' at any time in the past. This can be achieved if the attacker had legitimate access (for a limited period of time) to the ''SaaS-CP'' via ''SSO'' and used this access to generate and store a token for himself. Alternatively, searching for published tokens in forums or in technical documentations could also provide valid, though most possibly outdated, tokens.


=Graphical representation of attack=
=Graphical representation of attack=
[[File:XSLT.jpg|centre]]
SAML token with expired timestamps is sent to the ''SaaS-CP''.
 


[[File:Replay_Attack.jpg]]


=Attack example=
=Attack example=
The attacker prepares a SAML token ''t'' and creates an XML Signature for it. Note, that it is not important to have a correctly computed signature value – the ''XSLTA'' only requires a well-formed XML document. The attacker adds a '''Transform''' element to the XML Signature and places the '''XSLT Payload''' in it as shown in Figure.
The attacker sends an expired authentication token to the target ''SaaS-CP''. In case, that the unlimited reuse of authentication tokens is applicable and the token is successfully verified, the attack is classified as successful.
The attack’s impact is average since the attacker has limited attack surface – he can only spend authentication tokens he possesses. However, the potential impact drastically rises in case the attacker gains hold of an authentication token granting him extended access rights (e.g., as an administrator of the system).


[[File:XSLT1.jpg|centre]]
=Attack mitigation / countermeasures=


The attacker reads an arbitrary file using ''XSLT'' (in this example by using the ''unparsed-text()'' function). Afterwards, he forwards the contents of the file to his own server via a ''GET'' parameter.
=Attack mitigation / countermeasures=
The attack targets the [https://en.wikipedia.org/wiki/Single_sign-on SSO] Verificator. The SSO Verificator should mitigate the usage of ''XSLT'' within the token.


=Practical Attack Examples=
=Practical Attack Examples=
In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out that one framework was vulnerable to this attack: Instructure.
In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack: Clarizen, Instructure, AppDynamics, TimeOffManager, LiveHive and CA Service Management.


[[Category:Attack_Categorisation_By_Attacker_Model:_Message_generation_attacks]]
[[Category:Attack_Categorisation_By_Attacker_Model:_Access_to_Valid_Token]]
[[Category:Attack_Categorisation_By_Violated_Security_Objective_Confidentiality]]
[[Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control]]
[[Category:Attack_Categorisation_By_Attack_on_IdP/_SP:_Attack_on_SP]]
[[Category:Attack_Categorisation_By_Attack_on_IdP/_SP:_Attack_on_SP]]
[[Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification]]
[[Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Web_Service_Client]]
[[Category:Attack_Categorisation_By_Attack_Spreading:Application_Specific_Flaws]]
[[Category:Attack_Categorisation_By_Attack_Spreading:Application_Specific_Flaws]]
[[Category:Attack_Categorisation_By_Attack_on_SAML]]
[[Category:Attack_Categorisation_By_Attack_on_SAML]]

Revision as of 19:24, 9 December 2015

Attack description

Every SSO protocol provides freshness parameters N to limit the reuse and lifetime of the authentication tokens. Taking into account that the reuse of tokens is optional, the validation of the attributes providing freshness is not considered as critical. On the other hand, the time restriction regarding the usage of authentication tokens is more critical and should be evaluated. Otherwise, tokens issued once might be valid for an extended time period or even an infinite amount of time.

The attack specifically targets the SSO Verificator.

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites for attack

The attacker needs access to a valid token. More specifically, the token in question is required to be valid for the Software-as-a-Service Cloud Provider (SaaS-CP) at any time in the past. This can be achieved if the attacker had legitimate access (for a limited period of time) to the SaaS-CP via SSO and used this access to generate and store a token for himself. Alternatively, searching for published tokens in forums or in technical documentations could also provide valid, though most possibly outdated, tokens.

Graphical representation of attack

SAML token with expired timestamps is sent to the SaaS-CP.

Attack example

The attacker sends an expired authentication token to the target SaaS-CP. In case, that the unlimited reuse of authentication tokens is applicable and the token is successfully verified, the attack is classified as successful. The attack’s impact is average since the attacker has limited attack surface – he can only spend authentication tokens he possesses. However, the potential impact drastically rises in case the attacker gains hold of an authentication token granting him extended access rights (e.g., as an administrator of the system).

Attack mitigation / countermeasures

Practical Attack Examples

In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack: Clarizen, Instructure, AppDynamics, TimeOffManager, LiveHive and CA Service Management.

References

C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).