1 / 41

SaaS Vulnerabilities Workshop : SaaS as the new attack vector

SaaS Vulnerabilities Workshop : SaaS as the new attack vector. About us. Cyber security experts from Adallom AdallomLabs is the leading SaaS threats research center. Adallom monitors SaaS traffic from managed and unmanaged devices and detects attacks against company assets in the cloud.

race
Download Presentation

SaaS Vulnerabilities Workshop : SaaS as the new attack vector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SaaS Vulnerabilities Workshop : SaaS as the new attack vector

  2. About us • Cyber security experts from Adallom • AdallomLabs is the leading SaaS threats research center • Adallom monitors SaaS traffic from managed and unmanaged devices and detects attacks against company assets in the cloud

  3. Agenda • Intro to the world of SaaS attacks • Training • Background on SAML • Hands on Workshop!! • Summary

  4. SaaS allows access anywhere • Software-As-A-Service • Software and data hosted in the cloud • Allows “access anywhere” • Key stakeholders • SaaS provider • Company (Business unit and IT) • End Users

  5. SaaS is a new attack vector CONFIDENTIAL AND PROPRIETARY • The common link: • Attack occurs outside of company network • Bypasses company controls • Very hard to detect

  6. Anatomy of a SaaS attack • Objectives: • Persistent access to the CRM of the Acme organization • Initial research: • Use Salesforce.com for CRM

  7. If this was on premise .. • Requires sophisticated cyber attack campaign

  8. Anatomy of a SaaS attack • Requires a much simpler attack • Choose attack vector – Users. • Company network not relevant. SaaS provider too hard. • Open Source intelligence – Focus on targets. • Social Networks, Social Engineering,Support forums, etc. • Compromise the user – Phishing, social engineering • Or compromise the device – Exploit home PC, mobile • End Of Game – Stealth. Persistent. Simple. One employee. One mistake. The attacker will eventually win.

  9. Breakdown of SaaS attack vectors SaaS provider responsibility Enterprise responsibility

  10. Exercise

  11. Exercise Introduction • Attacking a SAAS website • WordPress based • Vulnerability is still exploitable in real websites • SSO & SAML in depth • XSW – XML Signature Wrapping attack

  12. SAML Single Sign On Sam ???

  13. SAML Single Sign On • SSO – use only one password for all SAAS applications • Pros • Reducing password fatigue from different user name and password combinations • Reducing time spent re-entering passwords for the same identity • Reducing IT costs due to lower number of IT help desk calls about passwords • SAML – Security Assertion Markup Language

  14. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Sam Credentials User:sam@gmail.com Password: S4mP@$$ Token user = sam

  15. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Sam Credentials User:sam@gmail.com Password: S4mP@$$ SSL SSL SSL Token user = sam

  16. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Credentials User:drevil@gmail.com Password: 1337H4X0R SSL SSL SSL Token user = drevil Token user = sam

  17. SAML Single Sign On User Service Provider (SP) Identity Provider (IDP) Credentials User:drevil@gmail.com Password: 1337H4X0R SSL SSL SSL Token user = drevil Token user = drevil

  18. SAML Single Sign On SAML Sample

  19. XSW – XML Signature Wrapping • XML Signature • Used to verify that data wasn’t modified during transportation. • May apply to specific XML elements or the whole XML document. • There is no standard for what elements should be signed.

  20. XSW – XML Signature Wrapping • <Envelope> - Root element • <Header> (optional) - Contains information that will be processed by SOAP nodes during transmission. • <Body> - Contains call and response information SOAP – Simple Object Access Protocol Most of web services are using SOAP which is XML based SOAP basic structure:

  21. XSW – XML Signature Wrapping • Sample SOAP message • Receiver side’s logic if isValid(Signature) return fread([“Body”][“GetFileContent”] • Can it be used for malicious purpose?

  22. XSW – XML Signature Wrapping • if isValid(Signature) • return fread(env [“Body”][“GetFileContent”]) Original Message Malicious Message

  23. XSW – XML Signature Wrapping • Causes • No common library for xml signature validation • Using different logic to find signed element and read element’s data NOTE: XSW is generic attack and is NOT specific to SOAP!

  24. Any Questions?

  25. Hands-On Hacking challenge

  26. Exercise • Main Goal • Original wordpress code + onelogin original plugin • Training Process • Exercise composed of 6 phases • Hints and solutions will be available on wordpressfeed • Tools • Charles or any other web debugging proxy (Burp, Fiddler, mitmproxy, etc..)

  27. Exercise • Phase 0 • Goal: Prepare environment • Resources • http://www.adallombh.com/box • Target Service provider • https://www.adallombh.com • Identity provider • https://app.onelogin.com/login • Password for OneLogin • Password1!

  28. Exercise • Phase 1 • Goal: Extract the SAML token • Hint #1: Use charles for capturing HTTP traffic • Hint #2: Recall the flow of SAML (in your HandOut) • Hint #3: SAML is encoded and thus, will not look like XML • Solution video is available on adallombh.com

  29. Exercise • Phase 2 • Goal: Decode the SAML token • Hint #1: Response is passed by HTTP and thus must be URL encoded • Hint #2: Response is also encoded in Base64 • Solution video is available on adallombh.com

  30. Exercise • Phase 3 (Optional) • Goal: Build and post custom SAML token • Hint #1: White spaces are not allowed in SAML • Hint #2: Use charles “edit” feature for manipulating original request • Solution video is available on adallombh.com Response is validEmail is custom@saml.org Note: This phase intends to verify that you are able to send your own SAML response. If you feel comfortable with that, you may continue to phase 4.

  31. Exercise • Phase 4 • Goal: Manipulate SAML token for gaining admin access • Targeted user name:admin@adallom.com • Hint #1: Source code may come in handy. It may be found at wordpress plugins site. • Hint #2: Draw diagrams for better understanding of SAML structure • Hint #3: Video is available adallombh.com • Solution video is available on adallombh.com

  32. Exercise • Phase 5 • Goal: Publish a post telling you’re the best hacker • Hint #1: Breakpoints or Cookie Editing may come in handy • Solution video is available on adallombh.com

  33. Solution & Summary

  34. The exploit php/lib/onelogin/saml/authenticate.php • Authentication process on SP • Validate SAML Signature • Check NameID against wordpress’s user list • Generate authenticated cookie

  35. The exploit php/lib/onelogin/saml/response.php • User name extraction • Find all matches for NameID element • Use the first match as the user name • User name manipulation – DONE!

  36. The exploit Original SAML Malicious SAML

  37. The exploit php/onelogin/saml/xmlsec.php • Steps • Locate signature • Validate reference • Locate key • Verify key How doesn’t it invalidate the signature?

  38. The exploit Locate signature

  39. The exploit Validate Reference

  40. The exploit • There are many other possibilities for getting the same result Original SAML Malicious SAML Id = 1337

  41. Summary • Admin’s password was: • X7r3MelyH@rdP@$$0rd • This specific XSW exploit was first introduced at USENIX 2012 by Juraj Somorovsky • Whatcausedthisvulnerability? • SAML is a complicatedprotocol • No awareness for SAAS vulnerabilities

More Related