This blog post introduces our latest addition to the SAML Attacker of our BurpSuite extension EsPReSSO: the Encryption Attack tab. The new tab allows for easy manipulation of the encrypted parts within intercepted SAML responses and can, therefore, be used to quickly assess whether the SAML endpoint is vulnerable against certain XML Encryption attacks.
Weaknesses of XML Encryption
- an attack against the CBC-mode decryption (quite similar to a padding oracle attack) [3] or
- a Bleichenbacher attack against the RSA-PKCS#1 encryption of the session key [4].
XML Encryption in SAML
<EncryptedData>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<KeyInfo>
<EncryptedKey>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<CipherData>
<CipherValue>
[...]
</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>
[...]
</CipherValue>
</CipherData>
</EncryptedData>
</EncryptedAssertion>
Encryption Attacker
Once a SAML response which contains an EncryptedAssertion has been intercepted, open the SAML tab, select the Attacks pane, and choose Encryption from the dropdown menu. This works in Burp's Proxy, as well as in the Repeater tool, and is depicted below.
At the top, the certificate used to encrypt the symmetric session key can be pasted into the text field. This field will be pre-filled automatically if the intercepted SAML message includes a certificate in the KeyInfo child element of the EncryptedData element. The Update Certificate checkboxes above the text area can be used to include the certificate in the manipulated SAML message.
In the Symmetric Key text field, the hexadecimal value of the symmetric session key can be set. Choose the asymmetric algorithm from the dropdown menu and click Encrypt key -- this will update the corresponding KeyInfo elements of the intercepted SAML message.
The payload in the text area labeled XML data can now be entered. Any update in the XML data field will also be reflected in the hexadecimal representation of the payload (found on right of the XML data field). Note that this is automatically padded to the blocklength required by the symmetric algorithm selected below. However, the payload and the padding can be manually adjusted in the hex editor field.
Eventually, click the Encrypt content button to generate the encrypted payload. This will apply the changes to the intercepted SAML message, and the manipulated message using Burp's Forward or Go button can now be forwarded, as usual.
Probing for Bleichenbacher Oracles
To determine whether or not a SAML endpoint is vulnerable to Bleichenbacher's Attack, we simply need to check if we can distinguish those responses received when submitting ciphertexts that are decrypted into invalidly formatted PKCS1 v1.5 plaintexts, from the responses we receive when sending ciphertexts that are decrypted into validly formatted plaintexts.
Recall that PKCS1 v1.5 mandates a certain format of the encrypted plaintext, namely a concatenation of a BlockType 00 02, a randomized PaddingString (PS) that includes no 00 bytes, a 00 (NULL-byte) as delimiter, and the actual plaintext message. The whole sequence should be equal in size to the modulus of the RSA key used. That is, given the byte length k of the RSA modulus and the message length |m|, PS has the length |PS| = k - 3 - |m|. Furthermore, PKCS1 v1.5 demands that |PS| to be at least eight bytes long [5].
In SAML, the recipient's public key is usually known because it is published in the metadata, or even included in the EncryptedAssertion. For this reason, we do not need to fiddle around with manipulated ciphertexts. Instead, we simply submit a validly formatted RSA-PKCS1 v1.5 encrypted message and an encrypted message which deciphers into an invalidly formatted plaintext. As an example, assume an RSA public key of 2048 bits which we want to use to encrypt a 16 byte session key `01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10` (hexadecimal representation). |PS|$ is $2048/8 - 3 - 16 = 237, so a valid PKCS1 v1.5 plaintext, ready to be encrypted using `AA` for all 237 padding bytes, could look like the listing shown below.
00 02 AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00
01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10
Next, repeat the steps outlined above, but this time submit an invalid PKCS1 v1.5 message. For example, consider using an invalid BlockType of `12 34` instead of `00 02`, or replace the `00` delimiter so that the decryptor is unable to determine the actual message after decrypting the ciphertext. If you are able to determine from the recieved responses whether or not the submitted ciphertext decrypted into a valid PKCS1 v1.5 formatted plaintext, chances are high that the decryptor can be used as a Bleichenbacher oracle. Don't forget to take into account the actual XML data, i.e., the assertion encrypted with the new session key; by submitting valid or invalid XML, or by removing signatures from the SAML message or the assertion you may increase your chances of detecting differences in the returned responses.
Probing for Oracles in CBC-Mode Decryption
In order to determine if a particular SAML service provider is vulnerable to this attack, we can avoid the cumbersome ciphertext manipulation, if we are in possession of the decryptor's public key:
In the Encryption Attacker tab of EsPReSSO, add the public key certificate to the Certificate field (if necessary) and insert a symmetric key of your own devising into the Symmetric Key text field. Select an appropriate RSA encryption method and click the Encrypt button to apply the new EncryptedKey element to the original SAML message.
An XML message can now be inserted into the XML data text field. Select a CBC mode encryption algorithm and click Encrypt to apply the changes. As in the example above, press Burp's Go or Forward button to send the message and carefully inspect the response. Try sending invalid XML, e.g., by not closing a tag or using the `&` character without a valid entity and keep an eye open for differences in the returned responses. To manipulate the padding, the text field on the right side shows the hexadecimal representation of the plaintext, including the CBC padding. If you send a single block and set the last byte, which indicates the padding length to the blocksize, i.e. 16 or 0x10 for AES, the ciphertext should decrypt into an empty string and is generally considered "valid" XML.
Please refer to the original paper for more details, tips, and tricks for performing the actual attack [3].
Summary
In case you wonder how XML Encryption can be used in a secure fashion, here are some considerations [6]:
- Always use an authenticated encryption mode such as AES-GCM instead of the CBC-mode encryption.
- Using RSA-PKCS1 v1.5 within XML Encryption is particularly difficult to do in a secure manner, and it is recommended to use RSA with Optimal Asymmetric Encryption Padding (OAEP) instead [2].
- Apply a digital signature over the whole SAML response, and ensure it is properly validated before attempting to decrypt the assertion. This should thwart the attack as a manipulated response can be recognized as such and should be rejected.
[2] https://www.w3.org/TR/xmlenc-core/
[3] https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-XML-Encryption/
[4] https://www.nds.ruhr-uni-bochum.de/research/publications/breaking-XML-Encryption-pkcs15/
[5] https://link.springer.com/chapter/10.1007%2FBFb0055716
[6] http://www.w3.org/2008/xmlsec/papers/xmlEncCountermeasuresW3C.pdf
[7] https://web-in-security.blogspot.com/2015/05/how-to-attack-xml-encryption-in-ibm.html
Related articles
- Hack Website Online Tool
- Pentest Tools Open Source
- Hacking Tools 2020
- Hacker Tools Software
- Hack Tools For Windows
- Hacking Tools For Windows 7
- Hacking App
- Install Pentest Tools Ubuntu
- Pentest Tools Review
- Kik Hack Tools
- Computer Hacker
- Hacker Tools For Pc
- Hacking Tools Online
- Hack Tools Mac
- Pentest Tools Apk
- Hacker Tools Apk Download
- Blackhat Hacker Tools
- Hacker Tools 2019
- Pentest Tools Subdomain
- Hack Tools Pc
- Hacking Tools Usb
- Pentest Box Tools Download
- Pentest Reporting Tools
- Nsa Hacker Tools
- Hack Tools
- Pentest Tools Online
- Pentest Tools Bluekeep
- Hacking Tools Github
- Termux Hacking Tools 2019
- Hacking Tools Usb
- Wifi Hacker Tools For Windows
- Hacking Tools Pc
- How To Hack
- Hacking Tools For Pc
- Hacking Tools For Windows
- Hacking Tools For Kali Linux
- Pentest Tools
- Hacker Tools
- Hacking Tools Windows
- Hacking Tools Windows
- Pentest Tools Framework
- Pentest Tools Kali Linux
- Pentest Tools Apk
- Pentest Tools
- Physical Pentest Tools
- Hackrf Tools
- Hacker
- Pentest Tools For Mac
- Pentest Box Tools Download
- Hacking Tools Hardware
- Hack Tools Github
- Hacking Tools Software
- Tools 4 Hack
- Hacking Tools Mac
- Hacker Tools For Ios
- Hack Website Online Tool
- Hack Rom Tools
- Hacker Tools Software
- Hack Tools For Pc
- Easy Hack Tools
- Hacking Tools Kit
- Hacker
- Hack Tools
- Pentest Tools Review
- Pentest Reporting Tools
- Tools For Hacker
- Pentest Tools Find Subdomains
- Hack Tools