undefined | Better HN

0 pointstptacek6y ago0 comments

Yes, tediously, with auditors who understand SAML and the (very informal) literature on SAML attacks. Hence, the concern.

0 comments

5 comments · 2 top-level

wutwutwutwut6y ago· 2 in thread

Wouldn't it be enough to enter an invalid audience when configuring the IDP? If the audience is ignored the sign-in flow still allows you to log on and you know the SP is broken.

lvh6y ago

Sure, but two reasons that's not quite optimal and you might not want to do that in practice:

1. This tells you the SP is broken; just using individual keys means that doesn't matter anymore if the SP is broken or not. Individual keys is in your control, fixing the SP much less likely so. And you can just set up a practice of doing it for everything and now it's one less thing to test for.

2. That still requires a bit of testing that's somewhat annoying to set up, which most vendorsec practices don't have time for. It's also only one of dozens of things you need to test for. Ignoring audiences is super common, but a more subtle problem is that you can sign a valid SAML assertion _for the wrong domain_, and now you can sign in as a competitor's staff.

As you hint at, having an SP that'll just self-service accept any random metadata.xml at least gives you a fighting chance :)

wutwutwutwut6y ago

My question was more related to it being tedious. And now you say it requires a bit of testing which is annoying to set up. Isn't testing this just a matter of changing the audience field to something incorrect and try to sign on? This should take like 2 minutes?

1 more reply

user59944616y ago· 1 in thread

It's a theoretical yes but a practical no, because the amount of people on this planet who understand SAML enough and want to work on it and are available for auditing, is damn close to zero, if not zero.

lvh6y ago

This is not an outlandish thing to ask of your security auditor _for your own app_. (It's something we do for clients.)

The challenging part is doing it for vendorsec, when you are vetting _other apps_. The timelines that stakeholders (other people in the company who want to use the app) are willing to accept are like, a week, and even if you somehow had a SAML testing praxis at the ready that enumerates all of the problems SAML has historically had, there's a lot more to test than just the SAML bits.

So: in summary: I don't think that number is anywhere near zero, though sure, it's not huge. The hard part is failures being silent and being in parties you don't control.

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

wutwutwutwut6y ago· 2 in thread

Wouldn't it be enough to enter an invalid audience when configuring the IDP? If the audience is ignored the sign-in flow still allows you to log on and you know the SP is broken.

lvh6y ago

Sure, but two reasons that's not quite optimal and you might not want to do that in practice:

As you hint at, having an SP that'll just self-service accept any random metadata.xml at least gives you a fighting chance :)

wutwutwutwut6y ago

1 more reply

user59944616y ago· 1 in thread

lvh6y ago

This is not an outlandish thing to ask of your security auditor _for your own app_. (It's something we do for clients.)

So: in summary: I don't think that number is anywhere near zero, though sure, it's not huge. The hard part is failures being silent and being in parties you don't control.

j / k navigate · click thread line to collapse