[Owasp-leaders] Secure SAML validation to prevent XML

Erlend Oftedal erlend.oftedal at owasp.org
Tue Oct 8 13:59:41 UTC 2013


 signature wrapping attacks
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5968872855396396407=="

--===============5968872855396396407==
Content-Type: multipart/signed;
boundary="Apple-Mail=_CDDB8AE3-093F-4156-AC28-3EE5A501BCEB";
protocol="application/pgp-signature"; micalg=pgp-sha512

--Apple-Mail=_CDDB8AE3-093F-4156-AC28-3EE5A501BCEB
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_9513B0BC-AEAD-4228-A27D-ED4516604ABF"

--Apple-Mail=_9513B0BC-AEAD-4228-A27D-ED4516604ABF
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Hi
Interesting idea!
>From a code quality perspective I'd recommend you separate test code
from production code, and give the tests proper names. Test are a very
important form of documentation, and no longer need to start
with "test" when the @Test-annotation is used.
If testValidateGG1 breaks, it doesnt tell me much. However if
should_reject_tokens_without_signatures() or
should_reject_wrapped_signature() break, that tells me something about
what's going on. Also from reading the test names I will now understand
which checks are in place.

Best regards
Erlend

Sendt fra min Windows Phone Fra: Pawel Krawczyk
Sendt: =E2=80=8E08.=E2=80=8E10.=E2=80=8E2013 09:50
Til: owasp-leaders
Emne: [Owasp-leaders] Secure SAML validation to prevent XML signature
wrapping attacks
Hi all, I have just written an article and reference code for digital signa=
ture validation in SAML assertions. It started as an exercise for local pro=
ject, but has grown as I talked to authors of papers on XML signature wrapp=
ing attacks. I've been thinking that this might be of interest to more peop=
le at OWASP since the Web-SSO topic is pretty popular now. So if you have a=
ny comments or ideas give me a shout.

The article http://ipsec.pl/node/1119=20
The code https://github.com/kravietz/java-saml-validator=20

--=20
Pawel Krawczyk
pawel.krawczyk at hush.com +44 7462 166716
CISSP, OWASP




--Apple-Mail=_9513B0BC-AEAD-4228-A27D-ED4516604ABF
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<HTML><HEAD>
<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type></HE=
AD>
<BODY>
<DIV>
<DIV style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">Hi<BR>Inter=
esting idea!<BR>From a code quality perspective I'd recommend you separate =
test code from production code, and give the tests  proper names. Test=
 are a very important form of documentation, and no longer need to start wi=
th "test" when the @Test-annotation is used.<BR>If testValidateGG1 breaks, =
it doesnt tell me much. However if should_reject_tokens_without_signatures(=
) or should_reject_wrapped_signature() break, that tells me something about=
 what's going on. Also from reading the test names I will now understand wh=
ich checks are in place.<BR><BR>Best regards<BR>Erlend<BR><BR>Sendt fra min=
 Windows Phone</DIV></DIV>
<DIV dir=3Dltr>
<HR>
<SPAN style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGH=
T: bold">Fra: </SPAN><SPAN style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Calibri,s=
ans-serif"><A href=3D"mailto:pawel.krawczyk at hush.com">Pawel Krawczyk</A></S=
PAN><BR><SPAN style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FO=
NT-WEIGHT: bold">Sendt: </SPAN><SPAN style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Calibri,sans-serif">=E2=80=8E08.=E2=80=8E10.=E2=80=8E2013 09:50</SPAN><BR>=
<SPAN style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGH=
T: bold">Til: </SPAN><SPAN style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Calibri,s=
ans-serif"><A href=3D"mailto:owasp-leaders at lists.owasp.org">owasp-leaders</=
A></SPAN><BR><SPAN style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-seri=
f; FONT-WEIGHT: bold">Emne: </SPAN><SPAN style=3D"FONT-SIZE: 11pt; FONT-FAM=
ILY: Calibri,sans-serif">[Owasp-leaders] Secure SAML validation to prevent =
XML signature wrapping attacks</SPAN><BR><BR></DIV></BODY></HTML><html><hea=
d><meta http-equiv=3D"Content-Type" content=3D"text/html charset=3Dus-ascii=
"></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -w=
ebkit-line-break: after-white-space; ">Hi all, I have just written an artic=
le and reference code for digital signature validation in SAML assertions. =
It started as an exercise for local project, but has grown as I talked to a=
uthors of papers on XML signature wrapping attacks. I've been thinking that=
 this might be of interest to more people at OWASP since the Web-SSO topic =
is pretty popular now. So if you have any comments or ideas give me a shout=
.<div><br></div><div>The article <a href=3D"http://ipsec.pl/node/1119"=
>http://ipsec.pl/node/1119</a> </div><div>The code <a href=3D"htt=
ps://github.com/kravietz/java-saml-validator">https://github.com/kravietz/j=
ava-saml-validator</a> <br><div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: mediu=
m; font-style: normal; font-variant: normal; font-weight: normal; letter-sp=
acing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; t=
ext-indent: 0px; text-transform: none; white-space: normal; widows: 2; word=
-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0=
px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: af=
ter-white-space; "><br class=3D"Apple-interchange-newline">-- </div><d=
iv style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium;=
 font-style: normal; font-variant: normal; font-weight: normal; letter-spac=
ing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; tex=
t-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-s=
pacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px=
; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: afte=
r-white-space; ">Pawel Krawczyk<br><a href=3D"mailto:pawel.krawczyk at hush.co=
m">pawel.krawczyk at hush.com</a> +44 7462 166716</div><div style=3D"colo=
r: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: nor=
mal; font-variant: normal; font-weight: normal; letter-spacing: normal; lin=
e-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; t=
ext-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -we=
bkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: bre=
ak-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "=
>CISSP, OWASP<br><br><br></div>
</div>
<br></div></body></html>
--Apple-Mail=_9513B0BC-AEAD-4228-A27D-ED4516604ABF--

--Apple-Mail=_CDDB8AE3-093F-4156-AC28-3EE5A501BCEB--

--===============5968872855396396407==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

--===============5968872855396396407==--


More information about the OWASP-Leaders mailing list