Extensible Stylesheet Language Transformation (XSLT) is a language for transforming XML documents into other documents, for example, XML, HTML, JSON or even PDF. The XML Signature standard allows the usage of XSLT by definition, and thus, XSLT can be used in SAML. XSLT is a Turing complete language. By this means, it is possible to use XSLT, for example, to read/write files on the local filesystem and send them over the Internet. Furthermore, the XSLT transformation will be executed before the digital signature is verified. Thus, an attacker can send a SAML token including a digital signature containing the XSLT Attack (XSLTA) vector, but it is not required that the signature is valid.
XSLTA allows accessing files within the context of the used web server.
There are no attack subtypes for this attack.
Prerequisites for attack
In order to start XSLT, the attacker has to create a valid XML message containing a DTD. Note, that the message has to be a SAML token. However, this token does not have to be signed with a valid key nor the signature needs to be valid.
Graphical representation of attack
The attacker prepares a SAML token t and creates an XML Signature for it. Note, that it is not important to have a correctly computed signature value – the XSLTA only requires a well-formed XML document. The attacker adds a Transform element to the XML Signature and places the XSLT Payload in it as shown in Figure.
The attacker reads an arbitrary file using XSLT (in this example by using the unparsed-text() function). Afterwards, he forwards the contents of the file to his own server via a GET parameter.
Attack mitigation / countermeasures
The attack targets the SSO Verificator. The SSO Verificator should mitigate the usage of XSLT within the token.
Practical Attack Examples
In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out that one framework was vulnerable to this attack: Instructure
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
- Pages with broken file links
- Attack Categorisation By Attacker Model: Message generation attacks
- Attack Categorisation By Violated Security Objective Confidentiality
- Attack Categorisation By Attack on IdP/ SP: Attack on SP
- Attack Categorisation By Attacked Web Service Component: XML Parser
- Attack Categorisation By Attack Spreading: Application Specific Flaws
- Attack Categorisation By Attack on SAML