[Owasp-leaders] Secure SAML validation to prevent XML signature wrapping attacks

Pawel Krawczyk pawel.krawczyk at hush.com
Tue Oct 8 07:49:20 UTC 2013

Hi all, I have just written an article and reference code for digital signature validation in SAML assertions. It started as an exercise for local project, but has grown as I talked to authors of papers on XML signature wrapping attacks. I've been thinking that this might be of interest to more people at OWASP since the Web-SSO topic is pretty popular now. So if you have any comments or ideas give me a shout.

The article http://ipsec.pl/node/1119 
The code https://github.com/kravietz/java-saml-validator 

Pawel Krawczyk
pawel.krawczyk at hush.com +44 7462 166716

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131008/9cb52f84/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131008/9cb52f84/attachment.pgp>

More information about the OWASP-Leaders mailing list