Open ImanSharaf opened 11 months ago
SAML is so old school I politely suggest we drop it and focus on OIDC instead.
Thank you for sharing your perspective. I concur with your viewpoint on this matter. While I acknowledge the evolving landscape of Single Sign-On (SSO) technologies, it's evident that SAML remains a significant player in this domain and its relevance is unlikely to diminish in the immediate future. Given this context, might I propose we consider introducing a directive within ASVS that advises against the indiscriminate use of SAML?
@jmanico - if you want to get rid of SAML in the world, you need to have requirement for that in ASVS.
If SAML is not considered as old and vulnerable component, applications are allowed to use it. Even if it so-called "old-school" technology, big companies are really slow to take new technologies in to use and those SAML solutions may live there for long time.
But I have not checked or analyzed the content here yet, just feedback on the "this is so old so it is not valid" topic.
Fair enough, let's do it.
Here is ChatGTP's suggestion for SAML requirements.
If you're a developer working on implementing SAML, you've got to be on your toes because there are a lot of security nuances to consider. Let's dig into the nitty-gritty details:
Fair enough, let's do it.
We can start with these:
Much like with OAuth/OIDC, I think we need to come up with a set of positive requirements that cover the primary attacks.
@ImanSharaf can you work on that?
Let's start with three:
Are they good enough? @tghosth
@jmanico what do you think about these? I am concerned they overlap with regular requirements...
If we do wish to consider SAML base requirements, and I think these are well done.
However ASVS is getting kind of bulky, and I tend to want to remove legacy-ish requirements. And I consider SAML legacy tech.
- Verify and enforce the presence and integrity of digital signatures on SAML assertions, rejecting any assertions that are unsigned or have invalid signatures.
I think this makes sense specifically in a SAML context.
- Verify that the application sanitizes SAML input fields to prevent comment injection, ensuring data is correctly parsed and potential comment injections are neutralized or rejected.
Is there a SAML specific attack here or is this a general XML issue? Do you have an example?
- Verify that each SAML assertion is uniquely processed and used only once within its validity period to prevent replay attacks.
I agree with this but I think it would need to be L3 as it is quite complicated.
Thoughts @ImanSharaf ?
@ImanSharaf waiting for your responses?
Ping @ImanSharaf
Many of my customers still use SAML, especially in Europe. I am also okay with duplicate requirements so the SAML section is self-contained. I think the requirements above are fairly straightforward and well thought out, and I am convinced we need them.
- Verify and enforce the presence and integrity of digital signatures on SAML assertions, rejecting any assertions that are unsigned or have invalid signatures.
I think this makes sense specifically in a SAML context.
- Verify that the application sanitizes SAML input fields to prevent comment injection, ensuring data is correctly parsed and potential comment injections are neutralized or rejected.
Is there a SAML specific attack here or is this a general XML issue? Do you have an example?
- Verify that each SAML assertion is uniquely processed and used only once within its validity period to prevent replay attacks.
I agree with this but I think it would need to be L3 as it is quite complicated.
Thoughts @ImanSharaf ?
Sorry for delay. I agree that it would need to be L3. @tghosth
Thanks @ImanSharaf can you respond to my other question here:
- Verify that the application sanitizes SAML input fields to prevent comment injection, ensuring data is correctly parsed and potential comment injections are neutralized or rejected.
Is there a SAML specific attack here or is this a general XML issue? Do you have an example?
Also, do you have a proposed section for these 3 requirements?
You can find an example attack here:
Do you believe that we need a separate section for SAML attacks?
Ok so I am comfortable with that.
I think a separate section would make sense. The question is, where?
Perhaps a new category for “federation and assertions”. This mirrors NIST 800-63c[1]. All the OAuth, OIDC and SAML requirements could go there. Just an idea, I’m not tied to it.
While reviewing the current version of the ASVS, I've noticed a potential gap in coverage related to SAML attacks. Considering the adoption of SAML for identity federation and single sign-on in enterprise environments, it's important to provide adequate coverage for potential SAML vulnerabilities and attacks.
Specifically, some of the SAML-based attacks that appear to be missing or not thoroughly covered include:
It would be beneficial for the community if the ASVS could provide more detailed guidance on testing, mitigating, and verifying the security of SAML implementations.