File:Signature Exclusion Attack.jpg and Signature Exclusion Attack: Difference between pages
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
=Attack description= | |||
The integrity of all authentication tokens should be protected. In case of ''Security Assertion Markup Language (SAML)'', this is realized by a digital signature ''s = SIGIdP(t)''. ''Signature Exclusion'' (0Sig) exploits a vulnerability in the verification logic allowing the usage of unsigned tokens. If ''SAML'' token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities ''(I)'' of other users. | |||
=Attack subtypes= | |||
There are no attack subtypes for this attack. | |||
=Prerequisites for attack= | |||
In order for this attack to work the attacker has to have knowledge about the following things: | |||
#'''Attacker knows endpoint of web service.''' otherwise, he is not able to reach the web service. | |||
#'''Attacker knows that the web service processes the security header and the ''"signature"'' element.''' If the web service does not '''"expect"''' an signed part, it just discards the signature and the attack does not work. | |||
=Graphical representation of attack= | |||
[[File:Signature_Exclusion_Attack.jpg]] | |||
=Attack example= | |||
The attacker creates authentication tokens containing statements about other users ''t = (..., IAlice/IBob/IAdmin,...)''. He then sends the token to an ''Software-as-a-Service Cloud Provider (SaaS-CP)'' (Starget) and is logged in with the corresponding identity. Finally, the attacker gains access to arbitrary accounts and their resources. The attack is targeted at the ''Single Sign-On (SSO)'' Verificator, which should require that the authentication token is signed and verify the applied signature. By this means, the integrity of the authentication token is guaranteed. | |||
=Attack mitigation / countermeasures= | |||
SAML messages without signature must not be accepted. | |||
=Attack categorisation= | |||
==Categorisation by violated security objective== | |||
The attack allows an attacker to generate assertions for arbitrary identities and gain access to resources linked to this identity. Hence, it violates the security objective of access control. | |||
[[Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control]] | |||
[[Category:Attack_Categorisation_By_Violated_Security_Objective]] | |||
*[[:Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control]] | |||
*[[:Category:Attack_Categorisation_By_Violated_Security_Objective]] | |||
==Categorisation by number of involved parties== | |||
[[Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1]] | |||
[[Category:Attack_Categorisation_By_Number_Of_Involved_Parties]] | |||
*[[:Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1]] | |||
*[[:Category:Attack_Categorisation_By_Number_Of_Involved_Parties]] | |||
==Categorisation by attacked component in web service architecture== | |||
[[Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification]] | |||
[[Category:Attack_Categorisation_By_Attacked_Web_Service_Component]] | |||
*[[:Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification]] | |||
*[[:Category:Attack_Categorisation_By_Attacked_Web_Service_Component]] | |||
==Categorisation by attack spreading== | |||
[[Category:Attack_Categorisation_By_Attack_Spreading]] | |||
[[Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws]] | |||
*[[:Category:Attack_Categorisation_By_Attack_Spreading]] | |||
*[[:Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws]] | |||
=References= | |||
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW). |
Revision as of 18:12, 23 November 2015
Attack description
The integrity of all authentication tokens should be protected. In case of Security Assertion Markup Language (SAML), this is realized by a digital signature s = SIGIdP(t). Signature Exclusion (0Sig) exploits a vulnerability in the verification logic allowing the usage of unsigned tokens. If SAML token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities (I) of other users.
Attack subtypes
There are no attack subtypes for this attack.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following things:
- Attacker knows endpoint of web service. otherwise, he is not able to reach the web service.
- Attacker knows that the web service processes the security header and the "signature" element. If the web service does not "expect" an signed part, it just discards the signature and the attack does not work.
Graphical representation of attack
Attack example
The attacker creates authentication tokens containing statements about other users t = (..., IAlice/IBob/IAdmin,...). He then sends the token to an Software-as-a-Service Cloud Provider (SaaS-CP) (Starget) and is logged in with the corresponding identity. Finally, the attacker gains access to arbitrary accounts and their resources. The attack is targeted at the Single Sign-On (SSO) Verificator, which should require that the authentication token is signed and verify the applied signature. By this means, the integrity of the authentication token is guaranteed.
Attack mitigation / countermeasures
SAML messages without signature must not be accepted.
Attack categorisation
Categorisation by violated security objective
The attack allows an attacker to generate assertions for arbitrary identities and gain access to resources linked to this identity. Hence, it violates the security objective of access control.
- Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by number of involved parties
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws
References
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
File history
Click on a date/time to view the file as it appeared at that time.
Date/Time | Thumbnail | Dimensions | User | Comment | |
---|---|---|---|---|---|
current | 18:11, 23 November 2015 | 572 × 321 (31 KB) | Anna (talk | contribs) |
You cannot overwrite this file.
File usage
The following page uses this file:
- Attack Categorisation By Violated Security Objective Access Control
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Number Of Involved Parties:1 - 0 - 1
- Attack Categorisation By Number Of Involved Parties
- Attack Categorisation By Attacked Web Service Component: Signature Verification
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Conceptual Flaws