In unserem Blog veröffentlichen wir in unregelmäßigen Abständen Artikel zu verschiedenen Themen der IT-Sicherheit, wie z.B. Open Penetrationstests und anderen öffentlichen Gutachten.

In October, we conducted a grey-box penetration test of a SAML-based Single Sign-On solution operated by SURFnet. The tested application used the open-source PHP library SimpleSAMLphp, whose source code we analyzed as a part of the penetration test. We were able to identify a novel variant of an XML Signature Wrapping (XSW) attack in SimpleSAMLphp, which allowed us to bypass the integrity and authenticity protection of the SAML assertion and change its contents arbitrarily.

In the following, we explain the details of the successful XSW attack, but first, we give a brief overview to SimpleSAMLphp, SAML, and XSW in general.

UI Redressing (UIR) describes a set of powerful attacks which can be used to circumvent browser security mechanisms like sandboxing and the Same-Origin Policy. In essence, an attacker wants to lure a victim into performing actions out of context by commonly making use of social engineering techniques in combination with invisible elements and hijacked trustworthy events. The set of attacks includes techniques like manipulating the mouse cursor, stealing touch gestures, and maliciously reuse keystrokes. Introduced in 2008, clickjacking was the first UIR attack which made it possible to automatically hijack the camera and microphone of the victim by stealing a few left-clicks within a Flash-based browser game. 

Hackmanit is happy to announce its pro bono penetration test program for web and single sign-on (SSO) applications. In a half-year cycle, starting in January 2020, we offer free remote penetration tests with a maximum contingent of ten man-days.

We aim to support non-commercial organizations which cannot afford commercial penetration tests. You can apply for a free penetration test if you feel that your organization fulfills the following requirements:

  • Non-commercial application (e.g., open-source software)
  • High impact (e.g., a high number of users or high criticality in the security/privacy areas)
  • You as an applicant should take care of clarifying any potential ethical and legal concerns

There will not be any significant difference between our pro bono penetration test and our usual commercial engagements except that you do not have to pay anything! However, in contrast to our commercial tests, you must agree to allowing Hackmanit to publish the unfiltered version of our penetration test report. We will do this after you have fixed the vulnerabilities or, at the latest, after 90 days from informing you of the vulnerabilities.

Based on the proven expertise in the areas of Single Sign-On and OpenID Connect, our team has been selected to perform an open penetration test of the DENIC ID - an implementation of ID4me.
The scope of the penetration test was to evaluate typical Single Sign-On weaknesses and the impact of novel features implemented in DENIC ID on the security of this login system.

DENIC ID

DENIC ID is the first widely-deployed implementation of ID4me (https://id4me.org/documents/) - a novel protocol for federated identity management. It is based on well-established standards such as OpenID Connect and Domain Name System (DNS). In contrast to other Single Sign-On schemes, ID4me divides the duties of the identity provider into two separated entities: an identity agent and an identity authority. The identity agent provides registration services and manages user data. The identity authority is responsible for user authentication and authorization.