SSO Wars: The Token Menace

Conference: Defcon 27

2019-08-01

Summary

The presentation discusses two new techniques for attacking Single-Sign On (SSO) bugs in authentication tokens, focusing on vulnerabilities found in the .NET framework.

Authentication tokens are used in SSO to delegate authentication to an identity provider
The presentation focuses on step six of the authentication process, where the service provider receives the authentication token
Two attack vectors are presented: injection vulnerabilities in token parsing and bypassing signature verification
Two vulnerabilities in the .NET framework are discussed: an injection vulnerability leading to a betrayal constructor invocation and an XML signature bypass using duty confusion
The presentation recommends patching and following Microsoft recommendations for the CVE

The presentation mentions that the team found an XML signature bypass vulnerability in the .NET framework that affected many Microsoft products. They reported it to Microsoft and it was patched, but there may be other vulnerabilities that have not been discovered yet.

Abstract

It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation. In this talk, we will present two new techniques:

Materials:

Tags: