SAML Injection

๐Ÿ” Introduction

SAML Injection์€ Security Assertion Markup Language (SAML) ์—์„œ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” Injection ๊ณต๊ฒฉ์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. SAML Process์—์„œ XML ๊ตฌ๋ฌธ ๋‚ด ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ํ†ตํ•ด SSO ๋“ฑ ์ธ์ฆ ๊ณผ์ •์„ ์šฐํšŒํ•˜๊ฑฐ๋‚˜ Signature ๊ฒ€์ฆ์„ ํ†ต๊ณผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

SAML์„ ์ด์šฉํ•œ SSO ๋“ฑ SAML ์‚ฌ์šฉ ๊ตฌ๊ฐ„์€ ๋ชจ๋‘ ์ ๊ฒ€์˜ ๋Œ€์ƒ์ด๋ฉ๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ Signature ๊ฒ€์ฆ์— ๋Œ€ํ•œ ์ฒดํฌ๋ฅผ ์ง„ํ–‰ํ•˜๋ฉฐ, XSW(XML Signature Wrapping) Attack ๋“ฑ์œผ๋กœ SAML Response/Assertion ๋ฉ”์‹œ์ง€์— ๊ฐ’์„ ์ถ”๊ฐ€ํ•˜๊ฑฐ๋‚˜ ๋ณ€์กฐํ•˜์—ฌ ์„œ๋ฒ„์˜ ๋ฐ˜์‘์„ ๋ณด๊ณ  ์ฒดํฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
4
5
6
<?xml version="1.0"?>
<md:EntityDescriptor entityID="private-service">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://private-service/saml/consume" index="0"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

SAML in ZAP/Burp

ZAP, Burpsuite์—์„  ๊ฐ๊ฐ SAML Support, SAML Raider๋ž€ Addon์„ ํ†ตํ•ด SAML ํฌ๋งท์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์‰ฝ๊ฒŒ ํŽธ์ง‘ํ•˜๊ณ  ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

ZAP - SAML Support

Invalid Signature

Signature๊ฐ€ ์‹ค์ œ CA์— ์˜ํ•ด ์„œ๋ช…๋˜์—ˆ๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. ํ˜น์‹œ๋‚˜ ์ธ์ฆ์„œ๊ฐ€ ์ž์ฒด ์„œ๋ช…๋œ ๊ฒฝ์šฐ ์ธ์ฆ์„œ๋ฅผ ๋ณต์ œํ•˜๊ฑฐ๋‚˜ ์ž์ฒด ์„œ๋ช… ์ธ์ฆ์„œ๋ฅผ ์ƒ์„ฑํ•˜์—ฌ ๋Œ€์ฒดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Signature Stripping

SAML SSO์˜ ์ผ๋ถ€ ๊ตฌ์„ฑ์—์„œ Signature section์„ ์ž„์˜๋กœ response์—์„œ ์ œ๊ฑฐํ–ˆ์„ ๋•Œ Signature verification์ด ์ƒ๋žต๋˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

XSW Attacks

SAML์˜ Response๋‚˜ Assertion์„ ์กฐ์ž‘ํ•˜์—ฌ ์˜๋„ํ•˜์ง€ ์•Š์€ ๋™์ž‘์„ ์œ ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
<SAMLResponse>
  <FA ID="evil">
      <Subject>Attacker</Subject>
  </FA>
  <LA ID="admin">
      <Subject>Admin User</Subject>
      <LAS>
         <Reference Reference URI="admin">
         </Reference>
      </LAS>
  </LA>
</SAMLResponse>
Type Message Description
XSW1 Response ๊ธฐ์กด ์„œ๋ช… ๋’ค์— ์„œ๋ช…๋˜์ง€ ์•Š์€ Response copy๋ฅผ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
XSW2 Response ๊ธฐ์กด ์„œ๋ช… ์•ž์— ์„œ๋ช…๋˜์ง€ ์•Š์€ Response copy๋ฅผ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
XSW3 Assertion ๊ธฐ์กด Assertion ์•ž์— ์„œ๋ช…๋˜์ง€ ์•Š์€ Assertion copy์„ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
XSW4 Assertion ๊ธฐ์กด ์–ด์„ค์…˜ ๋‚ด์— ์„œ๋ช…๋˜์ง€ ์•Š์€ Assertion copy์„ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
XSW5 Assertion Assertion์˜ ์„œ๋ช…๋œ Copy์—์„œ ๊ฐ’์„ ๋ณ€๊ฒฝํ•˜๊ณ  SAML ๋ฉ”์‹œ์ง€ ๋์— ์„œ๋ช…์ด ์ œ๊ฑฐ๋œ ์›๋ณธ Assertion์˜ Copy๋ฅผ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
XSW6 Assertion Assertion์˜ ์„œ๋ช…๋œ Copy์—์„œ ๊ฐ’์„ ๋ณ€๊ฒฝํ•˜๊ณ  ์›๋ž˜ ์„œ๋ช… ๋’ค์— ์„œ๋ช…์ด ์ œ๊ฑฐ๋œ ์›๋ณธ Assertion์˜ Copy๋ฅผ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
XSW7 Assertion ์„œ๋ช…๋˜์ง€ ์•Š์€ Assertion์— “Extensions” ๋ธ”๋ก์„ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
XSW8 Assertion ์„œ๋ช…์ด ์ œ๊ฑฐ๋œ ์›๋ณธ Assertion์˜ Copy์— ๋“ค์–ด ์žˆ๋Š” “Object” ๋ธ”๋ก์„ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

Exploitation

Broken SSO

SAML์€ ์ฃผ๋กœ SSO(Single Sign-On)์—์„œ ๋งŽ์ด ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค. SAML ๊ธฐ๋ฐ˜์˜ SSO์—์„œ SAML Injection์œผ๋กœ Authentication Bypass๊ฐ€ ๋˜๋Š” ๊ฒฝ์šฐ ๊ณ„์ • ํƒˆ์ทจ๋‚˜ ๊ถŒํ•œ ๋„์šฉ์ด ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

XXE

SAML์€ XML ํฌ๋งท์„ ์‚ฌ์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์„œ๋น„์Šค ๊ตฌ์„ฑ์— ๋”ฐ๋ผ XXE์— ์ทจ์•ฝํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. XXE์— ๋Œ€ํ•œ ์ž์„ธํ•œ ๋‚ด์šฉ์€ Cullinan > XXE๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

๐Ÿ›ก Defensive techniques

SAML SSO ๋“ฑ SAML ์‚ฌ์šฉ ์‹œ ๋ณด์•ˆ์— ์œ ์˜ํ•˜์—ฌ ์‚ฌ์šฉํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ OWASP ๊ฐ€์ด๋“œ๋ฅผ ์ฐธ๊ณ ํ•˜์‹œ๊ธฐ ๋ฐ”๋ž๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0