SSO Wars: The Token Menace

Conference:  BlackHat USA 2019



The presentation discusses two vulnerabilities found in the .NET framework related to authentication tokens and XML signature validation.
  • Authentication tokens are used for delegating authentication to an identity provider and require a signature to prevent tampering.
  • The first vulnerability is an injection vulnerability leading to a betrayal constructor invocation, which can have a significant impact on the target system.
  • The second vulnerability is related to XML signature validation and allows for bypassing the signature, which can enable attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims.
  • Microsoft frameworks and products such as Windows Identity Framework (WIF), Windows Communication Foundation (WCF), SharePoint, and Exchange Servers are affected by these vulnerabilities.
  • A new tool to detect these vulnerabilities will also be discussed and released.
The presentation was originally submitted as a 15-minute talk but was accepted as a 25-minute talk, so the researchers had to discard some information. However, they put the discarded information into a white paper that will be published and hosted in the Black Hat survey.


It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation.In this talk, we will present two new techniques:A new breed of SAML implementation flaws that break XML signature validation and enable arbitrary modification of the SAML assertion, which enables attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims. Although any implementation may be affected by this flaw, we will show how it affects Microsoft Windows Identity Framework (WIF) applications, Windows Communication Foundation (WCF) web services, and flagship products such as SharePoint and Exchange Servers.A bug in the .NET crypto library, which may allow attackers to gain Remote Code Execution (RCE) or Denial of Service (DoS) depending on the availability of code gadgets in the target server.A new tool to detect this type of vulnerability will also be discussed and released.