You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/05/17 16:31:06 UTC
[cxf-fediz] 03/04: Adding entity expansion attacks for SAML SSO
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit e24d0e57844c1123acfe75c8926788e28ae78b47
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu May 17 17:22:35 2018 +0100
Adding entity expansion attacks for SAML SSO
---
systests/tests/pom.xml | 5 ++
.../cxf/fediz/systests/common/AbstractTests.java | 71 ++++++++++++++++------
2 files changed, 59 insertions(+), 17 deletions(-)
diff --git a/systests/tests/pom.xml b/systests/tests/pom.xml
index 03e813c..a5750fa 100644
--- a/systests/tests/pom.xml
+++ b/systests/tests/pom.xml
@@ -45,6 +45,11 @@
<version>${project.version}</version>
</dependency>
<dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-core</artifactId>
+ <version>${cxf.version}</version>
+ </dependency>
+ <dependency>
<groupId>net.sourceforge.htmlunit</groupId>
<artifactId>htmlunit</artifactId>
<version>${htmlunit.version}</version>
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
index da6dfdf..df17bdc 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
@@ -19,6 +19,9 @@
package org.apache.cxf.fediz.systests.common;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
import java.net.URL;
import java.net.URLEncoder;
import java.util.ArrayList;
@@ -41,11 +44,14 @@ import com.gargoylesoftware.htmlunit.util.NameValuePair;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
import org.apache.commons.io.IOUtils;
+import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.cxf.staxutils.StaxUtils;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
@@ -736,10 +742,6 @@ public abstract class AbstractTests {
@Test
public void testEntityExpansionAttack() throws Exception {
- if (!isWSFederation()) {
- return;
- }
-
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
String user = "alice";
String password = "ecila";
@@ -766,18 +768,37 @@ public abstract class AbstractTests {
String reference = "&m;";
for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ if (getTokenName().equals(result.getAttributeNS(null, "name"))) {
// Now modify the Signature
String value = result.getAttributeNS(null, "value");
- value = entity + value;
- value = value.replace("alice", reference);
- result.setAttributeNS(null, "value", value);
+
+ if (isWSFederation()) {
+ value = entity + value;
+ value = value.replace("alice", reference);
+ result.setAttributeNS(null, "value", value);
+ } else {
+ // Decode response
+ byte[] deflatedToken = Base64Utility.decode(value);
+ InputStream inputStream = new ByteArrayInputStream(deflatedToken);
+
+ Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));
+
+ // Modify SignatureValue to include the entity
+ String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
+ Node signatureValue =
+ responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0);
+ signatureValue.setTextContent(reference + signatureValue.getTextContent());
+
+ // Re-encode response
+ String responseMessage = DOM2Writer.nodeToString(responseDoc);
+ result.setAttributeNS(null, "value", Base64Utility.encode((entity + responseMessage).getBytes()));
+ }
}
}
// Invoke back on the RP
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlForm form = idpPage.getFormByName(getLoginFormName());
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
try {
@@ -793,9 +814,6 @@ public abstract class AbstractTests {
@Test
public void testEntityExpansionAttack2() throws Exception {
- if (!isWSFederation()) {
- return;
- }
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
String user = "alice";
@@ -823,18 +841,37 @@ public abstract class AbstractTests {
String reference = "&m;";
for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ if (getTokenName().equals(result.getAttributeNS(null, "name"))) {
// Now modify the Signature
String value = result.getAttributeNS(null, "value");
- value = entity + value;
- value = value.replace("alice", reference);
- result.setAttributeNS(null, "value", value);
+
+ if (isWSFederation()) {
+ value = entity + value;
+ value = value.replace("alice", reference);
+ result.setAttributeNS(null, "value", value);
+ } else {
+ // Decode response
+ byte[] deflatedToken = Base64Utility.decode(value);
+ InputStream inputStream = new ByteArrayInputStream(deflatedToken);
+
+ Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));
+
+ // Modify SignatureValue to include the entity
+ String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
+ Node signatureValue =
+ responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0);
+ signatureValue.setTextContent(reference + signatureValue.getTextContent());
+
+ // Re-encode response
+ String responseMessage = DOM2Writer.nodeToString(responseDoc);
+ result.setAttributeNS(null, "value", Base64Utility.encode((entity + responseMessage).getBytes()));
+ }
}
}
// Invoke back on the RP
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlForm form = idpPage.getFormByName(getLoginFormName());
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
try {
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.