-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature Invalidated and still passes validation test - Potential Security Issue - Option to validate not found v1.12.4 #206
Comments
Hi there, The example provided makes it unclear whether or not the |
Hello, i think it might be more valuable to take a step back and look at it this way. There are signatures for the assertion and signatures for the message. Anything outside of the assertion can be modified and does not invalidate the signature as it was originally sent, or it can be stripped entirely. There are a number of attack scenarios here as a result of that fact. |
is this vulnerability still open or should the issue be closed? |
I would imagine that if no new code was introduced to handle the logic around validating the signature outside of the assertion/in the envelope |
In the SAML source below which constitutes the SAMLReponse parameter value the message can be modified and the first signature is not marked as invalid and passes authentication by saml2-js on the SP during SP initiated SSO via SAML2.0
Anything outside of the assertion can be changed and is accepted by the SP. I do not see a way to configure saml2-js to validate the signature outside of the assertion in addition to the assertion? My understanding is that this can lead to same man-in-the-middle attacks and potentially some signature wrapping issues. I do know the specification does not require both signatures to be validated, but in this case I'd like to ensure it is. I have scrubbed any id/session/personal information in the XML.
The text was updated successfully, but these errors were encountered: