Episode 46: The SAML Ramble

Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.KazHACKstanhttps://kazhackstan.com/enTesting SAML security with DASThttps://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.htmlHow to break SAML if I have paws?https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20How to Hunt Bugs in SAML; a Methodologyhttps://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/SAML Raiderhttps://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802eExternal Entity Injection during XML signature verificationhttps://bugs.chromium.org/p/project-zero/issues/detail?id=2313mTLS: When certificate authentication is done wronghttps://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/HackerOne Uber Reporthttps://hackerone.com/reports/136169Timestamps:(00:00:00) Introduction(00:05:25) Understanding SAML and its complexities(00:08:30) SAML Attack Vectors(00:14:15) XML Signature Wrapping(00:19:50) Some SAML tests to try(00:30:30) Sample Payload description(00:34:10) Token Recipient confusion(00:36:05) HackerOne Reports