Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass Vulnerability if entryPoint misconfigured #267

Closed
cintolas opened this issue Mar 8, 2018 · 2 comments
Closed

Bypass Vulnerability if entryPoint misconfigured #267

cintolas opened this issue Mar 8, 2018 · 2 comments
Labels
pr-welcome

Comments

@cintolas
Copy link

cintolas commented Mar 8, 2018

We received this report when our product went through pen testing

The empty default configuration of the SAML authentication workflow would break due to the lack of an entry point URL, causing an infinite redirect loop. However, a valid SAML Request was still generated with the default configuration values.

The SAMLRequest parameter shown above was generated by the product and was intended to be sent to an SAML endpoint. Since the authentication method is not fully configured with a certificate, any SAML SSO service can respond to the request. Atredis set up a simple SSO service to validate this finding. The SSO service handled the request and posted a valid SAML response to the F callback URL, which was considered a successful login attempt.

The following snippet shows that a saml request is still generated.


var express = require ('express');
var passport = require ('passport')
var SamlStrategy = require('passport-saml').Strategy;

passport.use(new SamlStrategy({
    path:'/',
    entryPoint:''	
},
function verify (req,profile, done) {
    return done(null,profile);
}));

var app = express ();

app.route ('/')
.get (passport.authenticate ('saml'))
.post (passport.authenticate('saml', function(err,user,info){ 
    console.log (err, user, info);
}));

app.route ('/callback', passport.authenticate('saml', function(err,user,info){
    console.log (err, user, info);
}));
app.listen ({
    port: 8000
});
@markstos
Copy link
Contributor

@cintolas Thanks for the report.

What we call entryPoint is used for the Destination attribute in AuthnRequest. According to the SAML spec, Destination is required to be spec-compliant when the request is signed:

https://support.pingidentity.com/Destination-attribute-in-SAML-Request

So if we are failing to require the Destination attribute when the spec requires it, that's a bug.

On the other hand, if your case involves un-signed requests with a missing Destination attribute, it appears that' a weakness in the SAML spec itself, this project is compliant, developers need to understand to avoid that case to be safe.

Help with updated code or docs to deal with this case in a spec-compliant way is welcome.

@ehsankhfr ehsankhfr mentioned this issue Mar 19, 2018
Closed
@cjbarth cjbarth mentioned this issue Sep 12, 2018
Merged
@markstos
Copy link
Contributor

Addressed by #299. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pr-welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markstos @cintolas