SAML Authentication

Authentication Bypass: Mis-scoped SAML Sessions Enable User ImpersonationMedium

Sign into target.com as an organization owner (attacker).
Configure a SAML 2.0 Provider (Okta) on your attacker account by following SAML docs
Enable SAML authentication and Enable user provisioning
In your SAML IdP (Okta admin console), create/add a person with the victim email and set a password for that account.

Press enter or click to view image in full size

5. Also at Okta assign that newly created user to the Org application in Okta (so SAML assertions can be made).

Okta assignments path : https://trial-#lol-admin.okta.com/admin/app/org/instance/<INSTANCE_ID>#tab-assignments
Add user <victim@example.com> to the org app.

Press enter or click to view image in full size

6. Open an incognito/private browser window and navigate to your org’s SAML login URL (IdP-initiated) and sign-in with the victim email and the password you set in Okta:

Email: victim@example.com
Password: (the password attacker set during creation)

7. After successful IdP authentication, the SP ( target.com) issues a session. As the attacker (exploit actions enabled by the victim session)

8. With the attacker-controlled session that now contains the victim user id (but attacker account id in token), issue requests that rely on user id for authorization (example: edit user settings).

PreviousJWT Security NextOAUTH Misconfigurations

Last updated 3 hours ago

Was this helpful?