[PDF] » Fuzzing XML Based Protocols (SAML)

1 » Fuzzing XML Based Protocols (SAML) Hacks-In-Taiwan 2006 Yen-Ming Chen Senior Principal Consultant Foundstone, ...

» Fuzzing XML Based Protocols (SAML)

Hacks-In-Taiwan 2006 Yen-Ming Chen Senior Principal Consultant Foundstone, A Division of McAfee

Agenda » Introduction – SAML – OpenSAML

» Scenarios » Implementation » Conclusion

SAML » Security Assertion Markup Language (SAML) » Codified by OASIS with participation from MACE and others » Defines XML Schema for AuthN and attribute assertions, queries, responses, and use profiles such as Web SSO. » Defines bindings to protocols for transport » V2.0 expands SAML and includes definitions from Shibboleth and the Liberty Alliance

SAML in a Nutshell » An XML-based framework for exchanging security information – XML-encoded security assertions – XML-encoded request/response protocol – Rules on using assertions with standard transport and messaging frameworks

» An OASIS standard (1.0, 1.1, and 2.0) – Vendors and users involved – OpenSAML implementation available – Codifies current system outputs vs. creating new technology

OpenSAML » OpenSAML for the message and assertion formats, and protocol bindings which is based on Security Assertion Markup Language (SAML) » SAML (Security Assertion Markup Language) is a standard for the formation and exchange of authentication, attribute, and authorization data as XML. It describes various kinds of messages and standard ways of transporting them. » OpenSAML is a set of open-source libraries in Java and C++ which can be used to build, transport, and parse SAML messages.

Technology »

Basic concepts – Subject/principal • User or application requesting access to a resource – Assertion • Set of statements about a subject – Authority • Entity that produces and/or consumes assertions – Binding • Specification for transporting assertions as protocol payloads – Profile • Specification describing rules for embedding, transferring, extracting, and processing assertions

Technology »

Use cases – Web single sign-on (SSO) • User logs onto source site and implicitly requests brokered logon to one or more destination sites with pre-existing trust relationships to source site – Authorization • Once having logged onto trusted destinations via SSO, user requests authorized access to various resources controlled by destinations – Back-office transactions • User attaches assertions to electronic business document and transmits to relying party

SSO use case Authenticate Source Web Site

Web User

Use Secured Resource

Destination Web Site

Assertion Title Syntax Assertion --Identifier --Issuer --Issuance timestamp --Conditions --Advice

Message Exchange Protocol SAML request message specifying assertion type to be returned*

SAML requester within SAML-enabled authentication authority, attribute authority, PDP, or PEP

SAML response message containing assertion of type specified*

SAML assertion

SAML responder within SAML-enabled authentication authority, attribute authority, PDP, or PEP

Binding with SOAP SOAP message SOAP header SOAP body SAML message SAML assertion

SAML assertions » An assertion is a declaration of fact about a subject, e.g. a user – (according to some assertion issuer)

» SAML has three kinds, all related to security: – Authentication – Attribute – Authorization decision

» You can extend SAML to make your own kinds of assertions » Assertions can be digitally signed

All assertions have some common information » » »

Issuer and issuance timestamp Assertion ID Subject – Name plus the security domain – Optional subject confirmation, e.g. public key

“Conditions” under which assertion is valid – SAML clients must reject assertions containing unsupported conditions – Special kind of condition: assertion validity period

Additional “advice” – E.g., to explain how the assertion was made

Authentication assertion » An issuing authority asserts that: – subject S – was authenticated by means M – at time T

» Caution: Actually checking or revoking of credentials is not in scope for SAML! – Password exchange – Challenge-response – Etc.

» It merely lets you link back to acts of authentication that took place previously

SSO pull scenario

Authentication Authority + Attribute Authority

Policy Decision Point + Policy Enforcement Point

Source Web Site

Destination Web Site

Web User

Authenticate (out of band) Access inter-site transfer URL Redirect with artifact Get assertion consumer URL Request referenced assertion Supply referenced assertion Provide or refuse destination resource (out of band)

Our Scenario

ACME.com

SiteB.com

Login POST https://www.acme.com/app/loginSubmit.jspx HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Referer: https://www.acme.com/app/login.jspx Accept-Language: en-us Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Paros/3.2.10 Host: www.acme.com Content-Length: 118 Connection: Keep-Alive Cache-Control: no-cache referer=&userName=ymchen&password=ymchen&x=16&y=9 COPYRIGHT ©2006 McAfee Inc.

Login Response (Set-Cookie) HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache,no-store,max-age=0 Pragma: No-cache Content-Type: text/html Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: https://www.acme.com/app/welcome.jspx Set-Cookie: JSESSIONID=Gkfbl3YJ9MBdxzVLkRtPpXkYD6gMQkCQMCJVz3dYld 7kPcdJG1LJ!239153226; path=/ Date: Sat, 15 Jul 2006 23:17:15 GMT Connection: close

Get SAML Assertion from ACME.com for SiteB GET https://www.acme.com/app/loginToSiteB.jspx HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Cookie: CP=null*; JSESSIONID=Gkfbl3YJ9MBdxzVLkRtPpXkYD6gMQkCQMCJVz3dYld 7kPcdJG1LJ!239153226 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Paros/3.2.10 Host: www.acme.com Using ONLY Connection: Keep-Alive JSESSIONID to get Accept-Language: en-us SAML Assertion Content-length: 0

Response from ACME.com

SAML Response -- Header

SAML Response -- Digital Signature QNVCOOOsXzCDyl2mp6wZGhUBUCI= SgT0UDeIhUk2KYPk/N6TA2STerwDOTL/4paQ39odRhbngUwzfCizJwLCvZKHCqCwSY3btv9aj/kz 1i0180VCnpMtytVR0UWWM8kzRf1AuPEB3gm5gCZkX1zp/UOnWyEkpdSRNGSquFilrMt9q7JoE7Cq QjR1uDqdBwPsOGlmkcw=

SAML Response – Status

SAML Response -- Condition Assertion is only valid for 5 http://www.siteb.com minutes!!!

SAML Response -- Subject 123456789054321 urn:oasis:names:tc:SAML:1.0:cm:bearer

SAML Response -- Attributes 123456789054321 urn:oasis:names:tc:SAML:1.0:cm:bearer 123456789054321

Posting SAML Response POST https://www.siteb.com/actionb.dll?cmd=sson&pid=12345 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Referer: https://www.acme.com/app/loginToSiteB.jspx Content-Type: application/x-www-form-urlencoded Host: www.siteb.com Connection: Keep-Alive Cache-Control: no-cache SAMLResponse=

Response from SiteB HTTP/1.1 200 Ok Server: Microsoft-IIS/5.0 Date: Thu, 29 Jun 2006 23:23:58 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP IND COR ADM CONo CUR CUSi DEV PSA PSD DELi OUR COM NAV PHY ONL PUR UNI" Connection: close Set-Cookie: RID=BLAHBLAH; path=/ Content-Type: text/html Content-length: 12345

Implementation » » » »

Read the XML File Parse all elements and attributes Put in attack patterns Results and problems

Read XML File » Save the base 64 decoded file as an XML file » Using System.XML to read the XML file like this: – XmlReader reader = XmlReader.Create(filename, settings); – Other ways like DOM or DataSet can be used too

» Determine NodeType (Element or Attribute)

Attack Patterns » Only buffer overflow was tested. » Patterns like ‘Z’ x 1024, ‘Z’ x 4096 or random data pattern » After you generate the XML file, – Base 64 encode – Generate HTTP POST request

» File name convention – --.xml – E.g.: ds:Signature-value-50k.xml

» Coverages – 15 elements and their attributes – Hundreds of test cases

Issues » How do we determine results automatically? » By three conditions: – Comparing HTTP Response Code from the server – Comparing HTTP Response Content-Length header – Time out (in case the server died)

» Looking for anomolies (like an IDS) – Send normal request first – Send test case to compare results

Results » We found one buffer overflow: – – The program did not handle the signature verification correctly, therefore when you feed a large amount of data, it crashed.

» Flawfinder found 29 potential problems on OpenSAML – Our test application was ‘based’ on OpenSAML implementation – We can’t test what we don’t see!

Future Works » Need to add more attack – XPATH Injection – XML memory corruption test – Authorization test • If you have another user’s account, can you become that user?

» Need to correlate with source code review results – Can you ‘prove’/’disprove’ flawfinder’s result?

» Can similar tests been done in unit testing? – Even earlier, in TDD

» We have not touched the backend process part

Reference » PROTOS -- http://www.ee.oulu.fi/research/ouspg/protos/ » SAML -- http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=security » OPENSAML – http://www.opensaml.org/

» Question & Answer

Thank You! Yen-Ming Chen [emailprotected]

[PDF] » Fuzzing XML Based Protocols (SAML) - Free Download PDF (2024)

References