my trading ventures: May 2023

Wednesday, May 31, 2023

Testing SAML Endpoints For XML Signature Wrapping Vulnerabilities

A lot can go wrong when validating SAML messages. When auditing SAML endpoints, it's important to look out for vulnerabilities in the signature validation logic. XML Signature Wrapping (XSW) against SAML is an attack where manipulated SAML message is submitted in an attempt to make the endpoint validate the signed parts of the message -- which were correctly validated -- while processing a different attacker-generated part of the message as a way to extract the authentication statements. Because the attacker can arbitrarily forge SAML assertions which are accepted as valid by the vulnerable endpoint, the impact can be severe. [1,2,3]

Testing for XSW vulnerabilities in SAML endpoints can be a tedious process, as the auditor needs to not only know the details of the various XSW techniques, but also must handle a multitude of repetitive copy-and-paste tasks and apply the appropriate encoding onto each message. The latest revision of the XSW-Attacker module in our BurpSuite extension EsPReSSo helps to make this testing process easier, and even comes with a semi-automated mode. Read on to learn more about the new release!

SAML XSW-Attacker

After a signed SAML message has been intercepted using the Burp Proxy and shown in EsPReSSO, you can open the XSW-Attacker by navigating to the SAML tab and then the Attacker tab. Select Signature Wrapping from the drop down menu, as shown in the screenshot below:

To simplify its use, the XSW-Attacker performs the attack in a two step process of initialization and execution, as reflected by its two tabs Init Attack and Execute Attack. The interface of the XSW-Attacker is depicted below.

XSW-Attacker overview

The Init Attack tab displays the current SAML message. To execute a signature wrapping attack, a payload needs to be configured in a way that values of the originally signed message are replaced with values of the attacker's choice. To do this, enter the value of a text-node you wish to replace in the Current value text-field. Insert the replacement value in the text-field labeled New value and click the Add button. Multiple values can be provided; however, all of which must be child nodes of the signed element. Valid substitution pairs and the corresponding XPath selectors are displayed in the Modifications Table. To delete an entry from the table, select the entry and press `Del`, or use the right-click menu.

Next, click the Generate vectors button - this will prepare the payloads accordingly and brings the Execute Attack tab to the front of the screen.

At the top of the Execute Attack tab, select one of the pre-generated payloads. The structure of the selected vector is explained in a shorthand syntax in the text area below the selector.
The text-area labeled Attack vector is editable and can be used to manually fine-tune the chosen payload if necessary. The button Pretty print opens up a syntax-highlighted overview of the current vector.
To submit the manipulated SAML response, use Burp's Forward button (or Go, while in the Repeater).

Automating XSW-Attacker with Burp Intruder

Burp's Intruder tool allows the sending of automated requests with varying payloads to a test target and analyzes the responses. EsPReSSO now includes a Payload Generator called XSW Payloads to facilitate when testing the XML processing endpoints for XSW vulnerabilities. The following paragraphs explain how to use the automated XSW attacker with a SAML response.

First, open an intercepted request in Burp's Intruder (e.g., by pressing `Ctrl+i`). For the attack type, select Sniper. Open the Intruder's Positions tab, clear all payload positions but the value of the XML message (the `SAMLResponse` parameter, in our example). Note: the XSW-Attacker can only handle XML messages that contain exactly one XML Signature.
Next, switch to the Payloads tab and for the Payload Type, select Extension-generated. From the newly added Select generator drop-down menu, choose XSW Payloads, as depicted in the screenshot below.

While still in the Payloads tab, disable the URL-encoding checkbox in the Payload Encoding section, since Burp Intruder deals with the encoding automatically and should suffice for most cases.
Click the Start Attack button and a new window will pop up. This window is shown below and is similar to the XSW Attacker's Init Attack tab.

Configure the payload as explained in the section above. In addition, a schema analyzer can be selected and checkboxes at the bottom of the window allow the tester to choose a specific encoding. However, for most cases the detected presets should be correct.

Click the Start Attack button and the Intruder will start sending each of the pre-generated vectors to the configured endpoint. Note that this may result in a huge number of outgoing requests. To make it easier to recognize the successful Signature Wrapping attacks, it is recommended to use the Intruder's Grep-Match functionality. As an example, consider adding the replacement values from the Modifications Table as a Grep-Match rule in the Intruder's Options tab. By doing so, a successful attack vector will be marked with a checkmark in the results table, if the response includes any of the configure grep rules.

Credits

EsPReSSO's XSW Attacker is based on the WS-Attacker [4] library by Christian Mainka and the original adoption for EsPReSSO has been implemented by Tim Günther.
Our students Nurullah Erinola, Nils Engelberts and David Herring did a great job improving the execution of XSW and implementing a much better UI.

---

[1] On Breaking SAML - Be Whoever You Want to Be
[2] Your Software at My Service
[3] Security Analysis of XAdES Validation in the CEF Digital Signature Services (DSS)
[4] WS-Attacker

Related word

eMAPT - Mobile Application Penetration Testing Professional

The eMAPT - Mobile Application Penetration Testing Professional course from the popular eLearnSecurity Institute and INE is an advanced mobile application penetration testing course. Prerequisite for this course is completion of the eJPT course . In the eMAPT course, you will learn the penetration testing of iOS and Android software at a high level. In this course, penetration testing of Android and iOS based software will be taught. In this course, you will find SQL Injection vulnerabilities, software analysis, usage, with basic topics such as the structure of iOS and Android software, compiling and signing software, security in iOS and Android, reverse engineering of iOS and Android software.

Course pre requisites

Completion of the eJPT course
Course specifications
Course level: Intermediate
Time: 11 hours and 7 minutes
Includes: ‌ 17 videos | ‌ 21 slides
Professor: Anthony Trummer
EMAPT Course Content - Mobile Application Penetration Testing Professional
Android & Mobile App Pentesting
Android Architectures
Setting up a Testing Environment
Android Build Process
Reversing APKs
Device Rooting
Android Application Fundamentals
Network Traffic
Device and Data Security
Tapjacking
Static Code Analysis
Dynamic Code Analysis
iOS & Mobile App Pentesting
iOS Architecture
Jailbreaking Device
Setting up a Testing Environment
iOS Build Process
Reversing iOS Apps
iOS Application Fundamentals
iOS Testing Fundamentals
Network Traffic
Device Adminsitration
Dynamic Analysis

Link to Download

Related news

eCPTX - Advanced Penetration Testing

The eCPTX - Advanced Penetration Testing course from the popular eLearnSecurity Institute and INE is Advanced Penetration Testing. Prerequisites for this course Completion of eJPT and eCPPTv2 Is. The eCPTX course is one of the most popular and difficult courses in the field of penetration testing. This course has four sections including 1. Preparing for attacks | 2. Test the penetration of Active Directory Red Teaming and 3. Red Teaming on important infrastructures | 4. Evasion or bypassing techniques. In this course you will gain a deep understanding of the Red Team, Backdoor, client-side exploitation, build personalized Payloads, Active Directory penetration testing, Evasion techniques of defense tools such as anti Viruses or IDS / IPS, complete scrutiny of the target to find misconfigurations and weaknesses, as well as covert operations and stability. The eLearnSecurity Institute Roadmap is included in the High Quality Images section.

Course pre requisites

EJPT course
ECPPTv2 course
Course specifications
Course level: Advanced
Time: 7 hours and 57 minutes
Includes: ‌ 9 videos | 8 labs | ‌ 7 slides
Professor: Andres Doreste
ECPTX Course Content - Advanced Penetration Testing
Preparing the Attack
Social Engineering Attack Vectors
Red Teaming Active Directory
Advanced Active Directory Reconnaissance & Enumeration
Red Teaming Active Directory
Red Teaming Critical Domain Infrastructure
Red Teaming MS SQL Server
Red Teaming Exchange
Red Teaming WSUS
Evasion
Defense Evasion

Link do Download

Tuesday, May 30, 2023

ChopChop - ChopChop Is A CLI To Help Developers Scanning Endpoints And Identifying Exposition Of Sensitive Services/Files/Folders

ChopChop is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT.

Its goal is to scan several endpoints and identify exposition of services/files/folders through the webroot. Checks/Signatures are declared in a config file (by default: chopchop.yml), fully configurable, and especially by developers.

"Chop chop" is a phrase rooted in Cantonese. "Chop chop" means "hurry" and suggests that something should be done now and without delay.

Building

We tried to make the build process painless and hopefully, it should be as easy as:

$ go mod download
$ go build .

There should be a resulting gochopchop binary in the folder.

Using Docker

Thanks to Github Container Registry, we are able to provide you some freshly-build Docker images!

docker run ghcr.io/michelin/gochopchop scan https://foobar.com -v debug

But if you prefer, you can also build it locally, see below:

Build locally

docker build -t gochopchop .

Usage

We are continuously trying to make goChopChop as easy as possible. Scanning a host with this utility is as simple as :

$ ./gochopchop scan https://foobar.com

Using Docker

docker run gochopchop scan https://foobar.com

Custom configuration file

docker run -v ./:/app chopchop scan -c /app/chopchop.yml https://foobar.com

What's next

The Golang rewrite took place a couple of months ago but there's so much to do, still. Here are some features we are planning to integrate : [x] Threading for better performance [x] Ability to specify the number of concurrent threads [x] Colors and better formatting [x] Ability to filter checks/signatures to search for [x] Mock and unit tests [x] Github CI And much more!

Testing

To quickly end-to-end test chopchop, we provided a web-server in tests/server.go. To try it, please run go run tests/server.go then run chopchop with the following command ./gochopchop scan http://localhost:8000 --verbosity Debug. ChopChop should print "no vulnerabilities found".

There are also unit test that you can launch with go test -v ./.... These tests are integrated in the github CI workflow.

Available flags

You can find the available flags available for the scan command :

Flag	Full flag	Description
`-h`	`--help`	Help wizard
`-v`	`--verbosity`	Verbose level of logging
`-c`	`--signature`	Path of custom signature file
`-k`	`--insecure`	Disable SSL Verification
`-u`	`--url-file`	Path to a specified file containing urls to test
`-b`	`--max-severity`	Block the CI pipeline if severity is over or equal specified flag
`-e`	`--export`	Export type of the output (csv and/or json)
	`--export-filename`	Specify the filename for the export file(s)
`-t`	`--timeout`	Timeout for the HTTP requests
	`--severity-filter`	Filter Plugins by severity
	`--plugin-filter`	Filter Plugins by name of plugin
	`--threads`	Number of concurrent threads

Advanced usage

Here is a list of advanced usage that you might be interested in. Note: Redirectors like > for post processing can be used.

Ability to scan and disable SSL verification

$ ./gochopchop scan https://foobar.com --insecure

Ability to scan with a custom configuration file (including custom plugins)

$ ./gochopchop scan https://foobar.com --insecure --signature test_config.yml

Ability to list all the plugins or by severity : plugins or plugins --severity High

$ ./gochopchop plugins --severity High

Ability to specify number of concurrent threads : --threads 4 for 4 workers

$ ./gochopchop plugins --threads 4

Ability to block the CI pipeline by severity level (equal or over specified severity) : --max-severity Medium

$ ./gochopchop scan https://foobar.com --max-severity Medium

Ability to specify specific signatures to be checked

./gochopchop scan https://foobar.com --timeout 1 --verbosity --export=csv,json --export-filename boo --plugin-filters=Git,Zimbra,Jenkins

Ability to list all the plugins

$ ./gochopchop plugins

List High severity plugins

$ ./gochopchop plugins --severity High

Set a list or URLs located in a file

$ ./gochopchop scan --url-file url_file.txt

Export GoChopChop results in CSV and JSON format

$ ./gochopchop scan https://foobar.com  --export=csv,json --export-filename results

Creating a new check

Writing a new check is as simple as :

  - endpoint: "/.git/config"
    checks:
      - name: Git exposed
        match:
          - "[branch"
        remediation: Do not deploy .git folder on production servers
        description: Verifies that the GIT repository is accessible from the site
        severity: "High"

An endpoint (eg. /.git/config) is mapped to multiple checks which avoids sending X requests for X checks. Multiple checks can be done through a single HTTP request. Each check needs those fields:

Attribute	Type	Description	Optional ?	Example
name	string	Name of the check	No	Git exposed
description	string	A small description for the check	No	Ensure .git repository is not accessible from the webroot
remediation	string	Give a remediation for this specific "issue"	No	Do not deploy .git folder on production servers
severity	Enum("High", "Medium", "Low", "Informational")	Rate the criticity if it triggers in your environment	No	High
status_code	integer	The HTTP status code that should be returned	Yes	200
headers	List of string	List of headers there should be in the HTTP response	Yes	N/A
no_headers	List of string	List of headers there should NOT be in the HTTP response	Yes	N/A
match	List of string	List the strings there should be in the HTTP response	Yes	"[branch"
no_match	List of string	List the strings there should NOT be in the HTTP response	Yes	N/A
query_string	GET parameters that have to be passed to the endpoint	String	Yes	`query_string: "id=FOO-chopchoptest"`

External Libraries

Library Name	Link	License
Viper	https://github.com/spf13/viper	MIT License
Go-pretty	https://github.com/jedib0t/go-pretty	MIT License
Cobra	https://github.com/spf13/cobra	Apache License 2.0
strfmt	https://github.com/go-openapi/strfmt	Apache License 2.0
Go-homedir	https://github.com/mitchellh/go-homedir	MIT License
pkg-errors	https://github.com/pkg/errors	BSD 2 (Simplified License)
Go-runewidth	https://github.com/mattn/go-runewidth	MIT License

Please, refer to the third-party.txt file for further information.

Talks

PyCon FR 2019 (The tool was initially developed in Python) - https://docs.google.com/presentation/d/1uVXGUpt7tC7zQ1HWegoBbEg2LHamABIqfDfiD9MWsD8/edit
DEFCON AppSec Village 2020 "Turning offsec mindset to developer's toolset" - https://drive.google.com/file/d/15P8eSarIohwCVW-tR3FN78KJPGbpAtR1/view

License

ChopChop has been released under Apache License 2.0. Please, refer to the LICENSE file for further information.

Authors

Paul A.
David R. (For the Python version)
Stanislas M. (For the Golang version)

Download ChopChop

Pages

Wednesday, May 31, 2023

Testing SAML Endpoints For XML Signature Wrapping Vulnerabilities

SAML XSW-Attacker

Automating XSW-Attacker with Burp Intruder

Credits

eMAPT - Mobile Application Penetration Testing Professional

Related news

eCPTX - Advanced Penetration Testing

Related news

Tuesday, May 30, 2023

ChopChop - ChopChop Is A CLI To Help Developers Scanning Endpoints And Identifying Exposition Of Sensitive Services/Files/Folders

Read more

Followers