←back to thread

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

(github.blog)
312 points campuscodi | 3 comments | 15 Mar 25 19:06 UTC | HN request time: 0.735s | source
Show context
bawolff ◴[15 Mar 25 20:32 UTC] No.43374971[source]
Its kind of annoying to explain the vulnerability in a blog post and then omit the parser differential in question.

It is like writing the introduction to a story and omitting the climax.

replies(2): >>43375217 #>>43378312 #
1. mdaniel ◴[15 Mar 25 21:17 UTC] No.43375217[source]
The sibling comment's blog post <https://news.ycombinator.com/item?id=43374972> included the relevant detail: they were just doing (...//ds:DigestValue).firstChild.nodeValue without checking that .firstChild was a Node (in the offending case, it was a Comment). Thus, the non-canonical one saw the "masked" signature, the corrected one which tossed out comments saw a Node and when two implementations differ about a signed document hilarity will ensue
replies(1): >>43375434 #
2. bawolff ◴[15 Mar 25 22:04 UTC] No.43375434[source]
Are you sure that is the one for this blog post? i got the impression that was a different vuln for a different saml implementation.

Also using comments to bypass saml is very old news. https://duo.com/blog/duo-finds-saml-vulnerabilities-affectin... is a post from 2018 about it.

replies(1): >>43375510 #
3. mdaniel ◴[15 Mar 25 22:19 UTC] No.43375510[source]
Evidently it's not the same, sorry; it seems that I lept to conclusions with the two signature mismatch vulns by ahacker1 showing up so close to one another but opening the very tiny, very dark, code picture shows this seems to be xpath-centric, not nodeType as the workos link discussed