Monday, October 20, 2014
Using authentication via Single Sign-On (SSO) has many advantages over simple Username/Password mechanisms. Whereas for the latter, the user has to remember multiple different Username/Password combinations, this overhead can be significantly reduced with SSO. Also, the security of Username/Password relies solely on the strength of the password provided by the user, but SSO allows for the adoption of several technical measures to further enhance the security of the login procedure.
Wednesday, October 1, 2014
Verification of SAML Tokens - Traps and Pitfalls
This post will describe some findings in Single Sign-On area and problems related to the security of SAML-based authentication interfaces.
We will describe 6 attacks: Replay Attack, Token Recipient Confusion, Signature Exclusion, XML Signature Wrapping, Certificate Faking and Certificate Injection.
All 6 attacks are related to the SAML SSO interface and are high critical regarding the security.
When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE)...
Inspired by James Kettle 's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security i...
Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medic...
One year ago, we received a contract as a PDF file. It was digitally signed. We looked at the document - ignoring the "certificate is n...
In this post, we provide a security analysis of Microsoft Rights Management Services (RMS) and present two working attacks: We complete...