Mittwoch, 8. April 2015

On the Security of SAML-based Identity Providers

In previous posts we described Single Sign-On (SSO) and the messages within the authentication flow in detail. Additionally, we showed implementation pitfalls on the Service Provider (SP) side resulting in critical vulnerabilities.
In 2012 we started a study about the security of SAML based Identity Provider (IdP). The motivation to make this study was very simple – if the Identity Provider is vulnerable, all Service Providers are affected. In other words – even if the Service Provider is implemented correctly, an attacker can successfully get illegitimate access to restricted resources, e.g. victim's account.

Donnerstag, 2. April 2015

Introduction to WS-Attacker: XML Signature Wrapping (XSW) on Web services


This post introduces WS-Attacker. We start with how to build it from source. After that we setup an example Axis2 Web service and finally we perform an XSW Attack on it.