logo
allArticlesConferencesPresentations

Identity Theft: Attacks on SSO Systems

Conference:  BlackHat USA 2018

2018-08-09

Summary

The presentation discusses the exploitability of the common truncation vulnerability in SSO systems, with a focus on the identity provider (IDP) and its configurations.
  • GitLab's vulnerability to the common truncation vulnerability is used as a case study for exploitation
  • The IDP's features and configurations greatly influence exploitability
  • Two-factor authentication may not completely eliminate the vulnerability
  • Self-registration and mutable identities increase the impact of the vulnerability
The presentation explains how an attacker can exploit GitLab's vulnerability by truncating their name ID to match an external identifier that maps to the target user. The attacker can then access the victim's profile information and even update it with their own information. The presentation also highlights the impact of mutable identities, where users can influence their SSO identity and greatly affect the vulnerability's impact.

Abstract

SAML is often the trust anchor for Single Sign-On (SSO) in most modern day organizations. This presentation will discuss a new vulnerability discovered which has affected multiple independent SAML implementations, and more generally, can affect any systems reliant on the security of XML signatures. The issues found through this research affected multiple libraries, which in turn may underpin many SSO systems. The root cause of this issue is due to the way various SAML implementations traverse the XML DOM after validating signatures. These vulnerabilities allow an attacker to tamper with signed XML documents, modifying attributes such as an authenticating user, without invalidating the signatures over these attributes. In many cases, this allows an attacker with authenticated access to a SAML Identity Provider to access services as an entirely different user - and more easily than you'd expect. This talk will also discuss another demonstrated class of vulnerabilities in user directories that amplify the impact of the previously mentioned vulnerability, and in some cases, can enable authentication bypasses on their own.
Materials:
Slides
Tags:

Post a comment

Related work

SSO Wars: The Token Menace

Conference:  BlackHat USA 2019
Authors:
2019-08-07

I Am Whoever I Say I Am: Infiltrating Identity Providers Using a 0Click Exploit

Conference:  Black Hat USA 2022
Authors:
2022-08-10

The Data Distribution Service (DDS) Protocol is Critical: Let's Use it Securely!

Conference:  BlackHat USA 2021
Authors:
2021-11-11

MFA-ing the Un-MFA-ble: Protecting Auth Systems' Core Secrets

Conference:  BlackHat USA 2021
Authors:
2021-08-04

Is This My Domain Controller? A New Class of Active Directory Protocol Injection Attacks

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics

Conference:  BlackHat USA 2021
Authors:
2021-08-05