Skip to content

Add New SAML Attack Based on parser differentials #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
d0ge opened this issue May 2, 2025 · 9 comments
Closed

Add New SAML Attack Based on parser differentials #93

d0ge opened this issue May 2, 2025 · 9 comments

Comments

@d0ge
Copy link
Contributor

d0ge commented May 2, 2025
edited
Loading

Hi @tobiashort,

Hope you are doing well.

I’d like to propose implementing two new CVEs: CVE-2025-25291 and CVE-2025-25292. If you want to read more about vulnerabilities - write up is available here https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

Would you be interested in having this added to the SAMLRaider extension?

If so, I’m happy to handle the implementation. I can make a test environment similar to the previous one, so you can easily reproduce issue.

Looking forward to hearing your thoughts!

Cheers
@tobiashort
Copy link
Collaborator

Hi @d0ge

Of course. I am happy to review and test your implementations.

Tobias

@d0ge
Copy link
Contributor Author

d0ge commented May 2, 2025

Great! I will return shortly with the first implementation.

@d0ge
Copy link
Contributor Author

d0ge commented May 7, 2025

Hi @tobiashort
Hope you are doing well.
I added two new CVEs to the SAML Raider scan checks - #94
There is one thing I am not sure about is automatic time attributes update, SAML Raider never did it before, however without it, exploitation of Gitlab is almost impossible.
Please let me know if you would prefer to remove it.

@d0ge
Copy link
Contributor Author

d0ge commented Jun 4, 2025

Hi @tobiashort
Hope you’re doing well! 👋
I wanted to follow up and check if you’ve had a chance to review PR #94. Please let me know if there’s anything unclear or if you’d like any changes.
Cheers

@tobiashort
Copy link
Collaborator

Hi @d0ge
Sorry, I was very busy lately.
I have looked at it, but hadn't time to really test it.

I think all the previous work has paid out and it is nice to see how we can implement new checks and attacks with no to minor side effects on the other code.

You said, you are not sure about the automatic time attributes update. I think if it is necessary that the exploit works as you say, then it is probably fine.

I should have some time to test it until Monday evening if this is okay.

Tobias

@tobiashort
Copy link
Collaborator

I tested CVE-2025-25291 within a test environment with FusionAuth as an IdP. The exploit works well! Fixed a bug where the help description was not correctly displayed.

@d0ge
Copy link
Contributor Author

d0ge commented Jun 9, 2025

Hi @tobiashort,
Thank you for taking the time to test the feature. I hadn’t noticed the issue with the help dialog, really appreciate you spotting it and getting it sorted!

@tobiashort
Copy link
Collaborator

Merged to master #94

@tobiashort
Copy link
Collaborator

Will create new Release v2.4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tobiashort @d0ge