Java: CWE-347 Query for detecting Signature Exclusion Attack with SAML assertion #6935
Conversation
Hey @luchua-bc, thanks for your contribution! I added some inline comments.
| } | ||
|
|
||
| /** Configuration of validating signature in XML file. */ | ||
| class SamlAssertionSignatureCheckConf extends TaintTracking::Configuration { |
I'm not convinced about this second taint tracking configuration. Mainly, because if there's a path that goes through validation, its source is completely discarded, even if there's another unsafe path (i.e. that doesn't validate the signature) starting from that same source.
I experimented a bit with the query and managed to transform this into a sanitizer for the first Configuration that effectively has the same logic, but only discards the flows that go through validation. It also prunes the flows earlier when the sanitizer is found (instead of calculating all flows and then discarding those with a source that gets validated somewhere), which results in less nodes being generated.
The diff is too big to comprehensively add it as a suggestion so, if you agree, I can commit it directly to your branch (and we can further discuss it if needed after that).
Thanks @atorralba for your help with optimizing this part. Yes, please commit it directly to my branch.
SAML (Security Assertion Markup Language) is an XML-based markup language for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. It is used for security assertions, which are statements that service providers use to make access-control decisions. SAML response messages consist of issuer, assertion (subject, conditions, and statements), signing key, and signature.
If SAML token does not contain any signature, no protection of integrity or authenticity is provided. Since no digital signature for the token is required, an attacker can generate tokens containing arbitrary identities of other users.
Java applications use the JAXB (Java Architecture for XML Binding) API for unmarshalling (reading) XML instance documents into Java content trees, and then marshalling (writing) Java content trees back into XML instance documents. The Java XML Digital Signature APIs are specified in JSR-105 and are implemented in the
javax.xml.cryptopackage, which are used to verify signature of SAML XML documents.The query detects missing signature check against SAML assertion XML documents. Please consider to merge the PR. Thanks.
The text was updated successfully, but these errors were encountered: