|SAML Token Request|
- ID: A nonce, which guarantees that the Token Request was freshly generated.
- IssueInstant: A timestamp.
- AssertionConsumerServiceURL (ACSUrl): A URL pointing to the SAML interface of the SP, to where the IdP sends the authentication token.
- Version: SAML Version.
- Issuer: The identity of the SP.
Out-of-scope: The attacker does not control the communication between Client and Service Provider. Thus, he cannot eavesdrop or manipulate this communication (i.e. no man-in-the-middle attack necessary).
Figure 1: ACS Spoofing Attack: Protocol Flow
- Step 1: The user visits the domain controlled by the
attacker, e.g. www.attacker.com
- Step 2: The attacker generates a TokenRequest containing
a malicious ACSUrl and redirects the user to the IdP.
The ACSUrl is a URL e.g. www.attacker.com.
- Step 3: The user is redirected to the IdP.
- Step 4: The user authenticates to the IdP. If the user is
already authenticated, this step is skipped.
- Step 5: The authentication token containing the identity of
the user is generated.
- Step 6: The authentication token will be sent to the domain
specified in ACSUrl, which is controlled by the attacker –
- Step 7: The attacker redeems the stolen authentication token
and authenticates on the SP as the user.
- Step 8: The attacker gets restricted resources controlled by the user.
Figure 2: ACSSpoofing Attack: Exploit Example
The ACSSpoofing attack will be executed if a normal user clicks on the link in the left window.
Specification vs. Implementation flaw:
ACS Spoofing is an implementation flaw on the IdP-side. The SAML specification[http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, Page .49] clearly specifies that the IdP MUST verify the ACSUrl. The verification of the received
ACSUrlcan be done via the data exchanged during the “Trust establishment” phase, see http://web-in-security.blogspot.de/2014/10/single-sign-on.html#more, section “The SSO protocol flow”.
- ACSScanner: We implemented a tool able to analyze IdPs
against ACSSpoofing. You can find the tool here:
- SAML EnDecoder: A very good and reliable tool to encode SAML
messages can be found here:
Authors of this PostVladislav Mladenov