Saml Attacks

Overview

SAML attacks target the Security Assertion Markup Language used for single sign-on (SSO). Common vulnerabilities include XML signature wrapping, assertion manipulation, and replay attacks.

Improper SAML implementation can allow attackers to forge authentication assertions and impersonate any user.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Saml Attacks:

Modify NameID or AttributeStatement in SAML response

XML Signature Wrapping: move SignedInfo outside the original element

SAML Replay: reuse captured SAML responses

Remove signature or change to weak signing algorithm

Tools & Techniques

Recommended tools for Saml Attacks:

• SAML Raider: Burp Suite extension for SAML testing
• XML Signature Wrapping attacks on SAML responses
• Test for signature exclusion and algorithm confusion
• Check audience restrictions and assertion expiration

Prevention & Mitigation

Security recommendations to prevent Saml Attacks:

• Always validate XML digital signatures properly
• Use strong signing algorithms (SHA-256 minimum)
• Validate Audience, Issuer, and Conditions elements
• Implement proper replay attack protection (OneTimeUse, NotOnOrAfter)
• Use short assertion validity periods (5 minutes max)
• Ensure AssertionConsumerServiceURL validation is strict

References

Additional resources:

• https://portswigger.net/web-security/saml
• https://github.com/OpenSAML/opensaml-java
• https://owasp.org/www-community/attacks/SAML_Injection