You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/05/17 16:31:06 UTC

[cxf-fediz] 03/04: Adding entity expansion attacks for SAML SSO

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git

commit e24d0e57844c1123acfe75c8926788e28ae78b47
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu May 17 17:22:35 2018 +0100

    Adding entity expansion attacks for SAML SSO
---
 systests/tests/pom.xml                             |  5 ++
 .../cxf/fediz/systests/common/AbstractTests.java   | 71 ++++++++++++++++------
 2 files changed, 59 insertions(+), 17 deletions(-)

diff --git a/systests/tests/pom.xml b/systests/tests/pom.xml
index 03e813c..a5750fa 100644
--- a/systests/tests/pom.xml
+++ b/systests/tests/pom.xml
@@ -45,6 +45,11 @@
             <version>${project.version}</version>
         </dependency>
         <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-core</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
             <groupId>net.sourceforge.htmlunit</groupId>
             <artifactId>htmlunit</artifactId>
             <version>${htmlunit.version}</version>
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
index da6dfdf..df17bdc 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
@@ -19,6 +19,9 @@
 
 package org.apache.cxf.fediz.systests.common;
 
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.net.URL;
 import java.net.URLEncoder;
 import java.util.ArrayList;
@@ -41,11 +44,14 @@ import com.gargoylesoftware.htmlunit.util.NameValuePair;
 import com.gargoylesoftware.htmlunit.xml.XmlPage;
 
 import org.apache.commons.io.IOUtils;
+import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.fediz.core.ClaimTypes;
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.wss4j.common.util.DOM2Writer;
 import org.apache.wss4j.dom.engine.WSSConfig;
 import org.apache.xml.security.keys.KeyInfo;
 import org.apache.xml.security.signature.XMLSignature;
@@ -736,10 +742,6 @@ public abstract class AbstractTests {
     @Test
     public void testEntityExpansionAttack() throws Exception {
 
-        if (!isWSFederation()) {
-            return;
-        }
-
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
         String user = "alice";
         String password = "ecila";
@@ -766,18 +768,37 @@ public abstract class AbstractTests {
         String reference = "&m;";
 
         for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+            if (getTokenName().equals(result.getAttributeNS(null, "name"))) {
                 // Now modify the Signature
                 String value = result.getAttributeNS(null, "value");
-                value = entity + value;
-                value = value.replace("alice", reference);
-                result.setAttributeNS(null, "value", value);
+                
+                if (isWSFederation()) {
+                    value = entity + value;
+                    value = value.replace("alice", reference);
+                    result.setAttributeNS(null, "value", value);
+                } else {
+                    // Decode response
+                    byte[] deflatedToken = Base64Utility.decode(value);
+                    InputStream inputStream = new ByteArrayInputStream(deflatedToken);
+
+                    Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));
+                    
+                    // Modify SignatureValue to include the entity
+                    String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
+                    Node signatureValue =
+                        responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0);
+                    signatureValue.setTextContent(reference + signatureValue.getTextContent());
+                    
+                    // Re-encode response
+                    String responseMessage = DOM2Writer.nodeToString(responseDoc);
+                    result.setAttributeNS(null, "value", Base64Utility.encode((entity + responseMessage).getBytes()));
+                }
             }
         }
 
         // Invoke back on the RP
 
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlForm form = idpPage.getFormByName(getLoginFormName());
         final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
 
         try {
@@ -793,9 +814,6 @@ public abstract class AbstractTests {
 
     @Test
     public void testEntityExpansionAttack2() throws Exception {
-        if (!isWSFederation()) {
-            return;
-        }
 
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
         String user = "alice";
@@ -823,18 +841,37 @@ public abstract class AbstractTests {
         String reference = "&m;";
 
         for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+            if (getTokenName().equals(result.getAttributeNS(null, "name"))) {
                 // Now modify the Signature
                 String value = result.getAttributeNS(null, "value");
-                value = entity + value;
-                value = value.replace("alice", reference);
-                result.setAttributeNS(null, "value", value);
+                
+                if (isWSFederation()) {
+                    value = entity + value;
+                    value = value.replace("alice", reference);
+                    result.setAttributeNS(null, "value", value);
+                } else {
+                    // Decode response
+                    byte[] deflatedToken = Base64Utility.decode(value);
+                    InputStream inputStream = new ByteArrayInputStream(deflatedToken);
+
+                    Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));
+                    
+                    // Modify SignatureValue to include the entity
+                    String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
+                    Node signatureValue =
+                        responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0);
+                    signatureValue.setTextContent(reference + signatureValue.getTextContent());
+                    
+                    // Re-encode response
+                    String responseMessage = DOM2Writer.nodeToString(responseDoc);
+                    result.setAttributeNS(null, "value", Base64Utility.encode((entity + responseMessage).getBytes()));
+                }
             }
         }
 
         // Invoke back on the RP
 
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlForm form = idpPage.getFormByName(getLoginFormName());
         final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
 
         try {

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.