BIPI
BIPI

SAML Attacks for Bug Hunters: XSW, Comment Injection, Replay

Cybersecurity

SAML SSO is bounty gold because the spec is sprawling and signature validation is hard to do right. This piece walks through XML Signature Wrapping, comment injection in NameIDs, replay weaknesses, and how to demonstrate cross-tenant impact safely.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 17, 2023 · 10 min read

#saml#bug-bounty#sso#xml#authentication

Why SAML Bugs Are Worth Hunting

SAML carries identity assertions, often with admin or executive accounts attached. A single signature validation bug can produce cross-tenant ATO.

XML Signature Wrapping

XSW abuses the gap between the signed element and the element that the application reads. You wrap the original signed assertion, then add an unsigned attacker assertion that the parser picks up but the validator ignores.

  • XSW1 to XSW8 each move the malicious assertion to a different position
  • Library-specific tricks for OpenSAML, python-saml, ruby-saml
  • SAMLRaider for Burp automates the variants

Comment Injection in NameID

Some XML canonicalization paths strip comments. Inject admin@target.com<!-- -->.attacker.com inside a NameID. The signature checks the full value while authorization reads the shortened one.

Replay and Conditions Bypass

Assertions should be single-use with tight NotBefore and NotOnOrAfter windows. Many implementations skip replay tracking or accept long validity windows. Replay an old assertion captured in a referer log or proxy.

Audience and Recipient Confusion

If the SP accepts assertions intended for another SP in the same federation, an attacker who can sign for one app can log into another. Check the Audience element and the SubjectConfirmationData Recipient.

Encryption and Algorithm Downgrade

Old SAML libraries accepted RSA-SHA1 long after it was unsafe. Some accepted unsigned assertions when only the response was signed, others accepted signed responses but read unsigned assertions inside.

Tooling

  • SAMLRaider for XSW automation in Burp
  • saml-tracer Firefox extension for capture and replay
  • xmlsec1 for crafting valid signatures during testing
  • Custom IdP using SimpleSAMLphp for controlled experiments

Finding SAML Endpoints

  • /saml, /sso, /acs, /Shibboleth.sso are common paths
  • EntityDescriptor metadata XML often exposed for federation
  • RelayState parameter often unvalidated, useful for open redirects

RelayState Abuse

Many SPs accept any URL in RelayState and redirect after login. Combine with login CSRF for chains, or use directly as an open redirect for phishing weight.

Reporting Without Spooking the Customer

Use a test tenant where possible. If you must use production, log in as your own account but craft an assertion claiming a non-existent admin identity. Demonstrate the bypass without touching real user data.

SAML bugs reward patience with XML, not luck. Read the assertion byte by byte and the bugs will surface.

Closing

Identity provider quality varies and SP code is older than most modern stacks. SAML hunting still pays in bounty programs where SSO carries real privilege.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.