title | paper | people | peopleOrder | ||||
---|---|---|---|---|---|---|---|
Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory |
ETAA2020_MIG |
|
surname |
{% include toc.md %}
In Section 3.1 of the paper we mentioned a list of SAML tests. The table below reports all the tests that the Pentesting tool perform in SAML implementations.
Security Test | Prot. | Provider | P/A | Description | Mitigation |
---|---|---|---|---|---|
Missing Service Provider | S | IdP | P | Check whether the Issuer element is present in the SAML request. | Configure the IdP to accept only SAML request with Issuer attribute. |
Missing Audience element | S | IdP | P | Check whether the Audience element is present in the SAML assertion. | Configure the IdP to include Audience element in the SAML assertion. |
Missing OneTimeUse attribute | S | IdP | P | Check whether OneTimeUse attribute is present in the SAML assertion. | Configure the IdP to include OneTimeUse attribute in the SAML assertion. |
Missing NotOnOrAfter attribute | S | IdP | P | Check whether NotOnOrAfter attribute is present in the SAML assertion. | Configure the IdP to include NotOnOrAfter attribute in the SAML assertion. |
Missing InResponseTo attribute | S | IdP | P | Check whether InResponseTo attribute is present in the SAML assertion. | Configure the IdP to include InResponseTo attribute in the SAML assertion. |
Missing Recipient in SubjectConfirmationData | S | IdP | P | Check whether Recipient attribute is present in the SAML assertion. | Configure the IdP to include Recipient attribute in SubjectConfirmationData element of SAML assertion. |
Missing check on Recipient element | S | SP | P | Check whether the Recipient attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with Recipient attribute. |
Missing check on the InResponseTo attribute | S | SP | P | Check whether the InResponseTo attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with InResponseTo attribute. |
Missing check on NotOnOrAfter attribute | S | SP | P | Check whether the NotOnOrAfter attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with NotOnOrAfter attribute. |
Missing check on Destination element | S | SP | P | Check whether the Destination element is present in the SAML assertion. | Configure the Client to accept only SAML assertions with Destination element. |
Missing OneTimeUse attribute | S | SP | P | Check whether the OneTimeUse attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with OneTimeUse attribute. |
Missing check on Audience element | S | SP | P | Check whether the Audience element is present in the SAML assertion. | Configure the Client to accept only SAML assertions with Audience element. |
Alteration of the Relay State parameter | S | SP | A | Changes value of Relay State parameter. | Configure the Sanitize the value of Relay State parameter. |
Session Fixation | S | SP | A | Check whether the implementation suffers the session vulnerability. | Handle properly the user sessions. |
Missing check on Canonicalization algorithm | S | Any | P | Check if the Canonicalization algorithm used by the XML parser encode also comments. | Change XML parser Canonicalization algorithm to one that includes comments. |
Micro-Id-Gym offers on the one hand (in the laboratory) an easy way to configure the production environment in a sandbox where pentesters can develop hands-on experiences on how IdM solutions work, by performing attacks with high impacts and better understand the underlying security issues. On the other hand (in the wild) a set of pentesting tools for the automatic security analysis of IdM protocols are provided.
<iframe src="https://drive.google.com/file/d/1CnnTvWeKg4b7MXxcXH1X4rpy5H1KnLBC/preview" ></iframe>
<iframe src="https://drive.google.com/file/d/1pntNiuMDh1_RuJVcdme9EigxZCLJavuz/preview" ></iframe>
- Click here to download the tool.