Single Sign-On Attack Resources

Attacks on SSO protocols are an active field of research and finding good sources can be a bit of a nuisance. I recently invested time into research, resulting in the following collection of links, papers and tools. The list has been curated and filtered to only show links I consider to be noteworthy or particularly helpful. It is not and not intended to be comprehensive.

Attacks

• Signature Exclusion Attack: Check if the signature is only validated if the signature is included in the request
• XML Signature Wrapping (XSW) Attacks: Put your evil assertion somewhere else
• XML Parser Library Bugs
• Replay Attack: Use the same token again

Links / Resources

Offensive

SAML

• Paper: Security Analysis of eIDAS - The Cross-Country Authentication Scheme in Europe
• Paper: On Breaking SAML: Be Whoever You Want to Be
• Blog post: Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
• Dissertation by Juraj Somorovsky
• Dissertation by Andreas Mayer
• Blog post: Bypassing SAML 2.0 SSO with XML Signature Attacks
• Blog post: The road to your codebase is paved with forged assertions

OpenID Connect

Not to be confused with OpenID.

• Paper: SoK: Single Sign-On Security - An Evaluation of OpenID Connect

Mixed

• Bachelor Thesis: Automatic Recognition, Processing and Attacking of Signle Sign-On Protocols with Burp Suite
• Paper and similar but slightly different content: Automatic Recognition, Processing and Attacking of Signle Sign-On Protocols with Burp Suite
• Paper: Your Software at my Service (Signature Faking)
• Paper (OpenID): Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On
• Papers and Thesis’: Various

Tools

• WS Attacks
• WS-Attacker
• SSOScan (OAuth-based protocols)
• BurpSuite Extensions
  • [EsPRreSSO:](https://github.com/RUB-NDS/BurpSSOExtension0
  • SAMLRaider (Manipulating SAML Messages, manage x.509 certificates):

Defensive

• SAML Artifact Binding (Thwarts most XSW attacks), OASIS SAML v2 Section 4.1.3