Back to Details

saml-sso-assertion-attacks

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: SAML SSO and Assertion Attacks — Signature Validation, Binding, and Trust Confusion

SKILL: SAML SSO与断言攻击——签名验证、绑定与信任混淆

AI LOAD INSTRUCTION: Use this skill when the target uses SAML-based SSO and you need to validate assertion trust: signature coverage, audience and recipient checks, ACS handling, XML parsing weaknesses, and IdP/SP confusion.
AI加载说明:当目标使用基于SAML的SSO,你需要验证断言信任相关问题时使用本技能:包括签名覆盖范围、受众与接收方检查、ACS处理、XML解析弱点、以及IdP/SP混淆问题。

1. WHEN TO LOAD THIS SKILL

1. 何时加载本技能

Load when:
  • Enterprise SSO uses SAML requests or responses
  • You see 
    SAMLRequest
    , 
    SAMLResponse
    , XML assertions, or ACS endpoints
  • Login flows involve an external IdP and browser POST/redirect binding
加载场景:
  • 企业SSO使用SAML请求或响应
  • 你发现了
    SAMLRequest
    SAMLResponse
    、XML断言或ACS端点
  • 登录流程涉及外部IdP和浏览器POST/重定向绑定

2. HIGH-VALUE MISCONFIGURATION CHECKS

2. 高价值错误配置检查项

ThemeWhat to Check
signature validationunsigned assertion accepted, wrong node signed, signature wrapping
audience and recipientweak 
Audience
, 
Recipient
, 
Destination
, or ACS validation
issuer trustwrong IdP accepted or multi-tenant issuer confusion
replay and freshnessmissing 
InResponseTo
, weak 
NotBefore
/ 
NotOnOrAfter
enforcement
account mappingemail-only binding, case folding, unverified attributes
XML parser behaviorXXE-like parser issues or unsafe transforms around SAML documents
主题检查内容
签名验证接受未签名断言、签名节点错误、签名封装
受众与接收方薄弱的
Audience
Recipient
Destination
或ACS验证
颁发者信任接受错误的IdP或多租户颁发者混淆
重放与时效性缺少
InResponseTo
NotBefore
/
NotOnOrAfter
执行力度弱
账户映射仅绑定邮箱、大小写折叠、未验证属性
XML解析器行为SAML文档相关的类XXE解析器问题或不安全转换

3. QUICK TRIAGE

3. 快速排查

  1. Capture one full login round trip.
  2. Inspect which XML nodes are signed and which attributes drive account binding.
  3. Compare SP-initiated and IdP-initiated flows.
  4. Test replay, altered attributes, and assertion placement confusion.
  1. 捕获一次完整的登录往返流程。
  2. 检查哪些XML节点已签名,以及哪些属性驱动账户绑定。
  3. 对比SP发起和IdP发起的流程。
  4. 测试重放、属性篡改和断言放置混淆问题。

4. RELATED ROUTES

4. 相关路径

  • XML parser attack depth: xxe xml external entity
  • OAuth or OIDC SSO alternatives: oauth oidc misconfiguration
  • Auth boundary issues after SSO: authbypass authentication flaws
  • XML解析器攻击深度:xxe xml external entity
  • OAuth或OIDC SSO替代方案:oauth oidc misconfiguration
  • SSO后的认证边界问题:authbypass authentication flaws