Closed allabezroutchko closed 1 month ago
Thanks @allabezroutchko for reporting. Would it be possible for you to provide the full SAML message anonymized?
Tried my best to anonymize it:
<samlp:Response ID="_fb5af0f0-f2b6-48b7-a3fe-6e30a0c8c7d1" Version="2.0" IssueInstant="2024-09-18T11:14:43.050Z" Destination="https://destination/" InResponseTo="ONELOGIN_cdbf853876a8372d40b9341a4f971442f08b413d" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/21ea916b-d92f-47f0-bd65-c67b972e65ae/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_e68fc244-d517-4ecb-998f-78dc0f427a00" IssueInstant="2024-09-18T11:14:43.046Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/21ea916b-d92f-47f0-bd65-c67b972e65ae/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_e68fc244-d517-4ecb-998f-78dc0f427a00"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>V8PX7gXGH WbFFbHsbwT/2tr9YWHUqmASdOD tciKVw=</DigestValue></Reference></SignedInfo><SignatureValue>r1DW0uIDFBnlysKKHIA9TYYF1qD7uT7SkovCRkEgenoYXmMTd/XKiaIV4X1LIlI0sV0qj6FNUtu1YGoyQ3JXD6A61qwvIAIyKtveQTcZ9H719DU6Dpx ft2tcP6m2D2Bph9BW2VIQ1qOcpiA9MSzRJetx6PhLi6xZx5gqlIFzyCGgTjEGw0Anlq6o2rHIVEpdeThIue4FwfaNu4brn4g1IhxRQD/cOVGS5BqCGjAppLsIiQsQVOb /DfFPTyLAJPmxSrXkWddgzpZLXpQ6YO1qpey1TiUfFCwYEYcsrvDt13HtkGvrn820iKHHOG8kadA0wJkAEp7wLXBc8Zj8a6kQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQUNYScVZp aFCh8T wwF8RTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDA5MDMxNDAzMDFaFw0yNzA5MDMxNDAzMDBaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA46LonaFvZxQBGPo3JNn/7SARDpaD VrwZpK3G3zyXPx6viwM04tP385BRe2ilyo6lv Q25/LnTW9hMtYuhcDzsDo0GbJLXncxKVhakoj0GRTzaL6Xit NgdCFE38fZTod8i8rQV0zngfu shjqrUuq1P6xIsqA OlDnftP9wC4XizYL5rrJnzxyaCw011i/rx24NqD8kFfTVqt1MtmAMWGVZTbsKy5wXWYf dzvMUYl6VHvFqe0h6ghC/SxUntTcyQTeQlXH7bXdK6fTs5uwWfgTbRZbk43zOKrfg6QAYQPPianX08pVyF6kFXTphUzzK5avV4UECtSLpo6RBGWLhQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB97RrY5dy4tzP6XTSX56mVBGY/N73o/ZIoF1LSWIlfBVqMdY29EJbXEIhatV7Jg/G1OCTKDoxZoMO3e1Y6LyLg1808ZIjgB pd/n2SxBfiiHftcQZ2 ZsIQZrZ2ccNqbOQjKpCO5YwZVhVRGMA09RLa2j/RV1gP7YXNGgvajQar92i2x9cWa /5vI8VQFxrZSQFE3BgP2 y00J46E/GhkKhmi0LO H8Od4xQavlNyz62uJ2bfaVyw4ySezZtuE37Rt oHI40sWMoU88BFtrA1MW39YPj THfN4J71uWY j9gJX6V8sO0QzujeWlguh6tVkoyjPFxmqW aHqiUE3bcm</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">nobody@nowhere.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ONELOGIN_cdbf853876a8372d40b9341a4f971442f08b413d" NotOnOrAfter="2024-09-18T12:14:42.934Z" Recipient="https://destination/"/></SubjectConfirmation></Subject><Conditions NotBefore="2024-09-18T11:09:42.934Z" NotOnOrAfter="2024-09-18T12:14:42.934Z"><AudienceRestriction><Audience>https://destination/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>21ea916b-d92f-47f0-bd65-c67b972e65ae</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>987f218e-d113-4aef-8bcd-e0a1d8b03888</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>User1</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>b9811d13-6275-441f-8593-05461b03b801</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/21ea916b-d92f-47f0-bd65-c67b972e65ae/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>User</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>1</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>nobody@nowhere.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2024-09-18T11:14:40.049Z" SessionIndex="_e68fc244-d517-4ecb-998f-78dc0f427a00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
Can you verify the fix with https://github.com/CompassSecurity/SAMLRaider/releases/tag/v2.0.3-rc1
Works for me now.
In /src/main/java/application/SamlTabController.java the application expects to find a string in SAML document:
But SAML generated by Microsoft ADFS has
<Transforms>
instead of<ds:Transforms>
:So, using "Test XSLT" button results in "This XML Message is not suitable for this particular XLST attack" error.