SSO Wars: The Token Menace

Conference:  Defcon 27



The presentation discusses two new techniques for attacking Single-Sign On (SSO) bugs in authentication tokens, focusing on vulnerabilities found in the .NET framework.
  • Authentication tokens are used in SSO to delegate authentication to an identity provider
  • The presentation focuses on step six of the authentication process, where the service provider receives the authentication token
  • Two attack vectors are presented: injection vulnerabilities in token parsing and bypassing signature verification
  • Two vulnerabilities in the .NET framework are discussed: an injection vulnerability leading to a betrayal constructor invocation and an XML signature bypass using duty confusion
  • The presentation recommends patching and following Microsoft recommendations for the CVE
The presentation mentions that the team found an XML signature bypass vulnerability in the .NET framework that affected many Microsoft products. They reported it to Microsoft and it was patched, but there may be other vulnerabilities that have not been discovered yet.


It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation. In this talk, we will present two new techniques: