Penetration Testing Anecdote Series

Authentication bypass due to weak verification of SAML Token

What is authentication bypass in web applications?

The web application vulnerability – authentication bypass occurs when there is improper validation of the user’s identity on the server-side.

Generally, a successful authentication bypass requires the attacker to have knowledge of either the username/email ID unlike the case of SQL injection where the attacker can attempt to log into the application using any user.

What is SAML?

SAML (Security Assertion Markup Language) is a standard for authenticating and authorizing users across multiple applications by leveraging the logged-in session of one application.

In simple words, you log into a dashboard where you see multiple applications like Salesforce, AWS, Slack, ADP, etc. and when you click on any one of the icons, you would directly get signed into that application.

Unlike other tokens, the SAML token is XML-based for transferring identity between two parties.

So, who are these two parties? 1. Identity Provider (IdP) 2. Service Provider (SP). IdP is responsible to authenticate the user and subsequently sending the token to the service provider and SP trusts the identity provider and authorizes/authenticates the user to access the requested application.

Some applications implement SAML for the clients to authenticate themselves and use the application. So, the question is what kind of verification is done by the SP in the back-end? Is it possible to modify the token and login to the application as another user?

In this blog, we’ll walk you through an authentication bypass mechanism that allowed us to log into the application as any user with just the knowledge of the username. This can be achieved due to insecure logic & validation implemented at the backend.

Understanding the authentication process

The application uses Okta which is an identity platform that offers authentication and authorization services for the application. Let’s say the target domain is testproduct.com. After hitting this domain, we get redirected to the Okta login page with a domain like testcorp.oktapreview.com which looks like the below screenshot.

Using valid credentials, we log into the Okta dashboard. In My Apps, we see all the applications for whom we could obtain direct access without re-entering the credentials.

Let’s assume our app testcorp.com is included in it. After clicking our app, we directly get signed into it.

We now attempt to understand the process of how we got logged into testproduct.com from testcorp.oktapreview.com.

By setting up an interception proxy – Burp suite, we observe a request where testcorp.com receives a  SAML token with the parameter name SAML Response.

Bypass #1: Pre-remediation

The next request was responsible to authenticate the user, or in other words, activating the user’s session.

By changing the username value from 252233 to 252234, we were able to log into the application as a different user. We confirmed this by entering random number which gave us an error indicating that the user was invalid. Thus, confirming that username we used earlier was indeed valid.

By trying different values for the username parameter and repeating the above steps, we were able to log into the application as an administrator user.

Test Corp went ahead and implemented a fix to remediate the above vulnerability.

Bypass #2 : Post application of the first fix

Test Corp leveraged an encryption mechanism which prevented us changing the username value as the parameter was not unguessable.

We started looking at the different ways to decrypt the parameter through recon. We also wrote multiple scripts, but they weren’t successful in recreating the original value.

After many failed attempts we were curious to understand how the application knew which username parameter & value to encrypt, as we didn’t see any username being transmitted in the request via plaintext.

There was still a puzzle associated to the SAML token as we hadn’t looked at understanding it.

By using URL Decode then Base64 decode, we obtained decoded XML data containing the username 2522334.

The response had the encrypted username. Hence, sending a request by changing the username in the SAML token and encoding it back to its original format, resulted in a different encrypted username which caught our eye. So, we used this new username in the subsequent request with URL encoding which successfully logged us in.

So, the application was accepting the username from the SAML token & it then encrypted it. Subsequently, it was being sent in the request where the activation occurred.

Conclusion

Our understanding of the application led to the conclusion that rather than validating the token, the application extracted the username and verified whether it exists in their database or, not. This allowed an attacker to authenticate as any user, with a valid username.

Posted by:

Raunak Parmar

Senior Security Engineer at Accorian

 

How do you prepare for a Penetration test?

A penetration test (Pen Test) is one of the best ways a company can test their IT assets for vulnerabilities that a hacker could exploit to access sensitive data (customer, internal IP, passwords, etc.). Many internal IT teams assume that a pen test is a time-consuming nightmare, but, with the right communication and preparation, a pen-test is an effortless, vital, and valuable procedure for any business.

Penetration tests are simulated cyberattacks against an IT system by security professionals to find exploitable vulnerabilities a hacker would use to infiltrate an organization. Finding these vulnerabilities allows you to address the gaps in your network defense and enhance your overall security posture. Additionally, it provides you with an opportunity to assess your active protection systems, incident response, and on-going security monitoring.

Why does a company need a penetration test?

  • To detect and remediate vulnerabilities before an adversary exploits them
  • Upper management may want a better understanding of their current security posture
  • It may be a regulatory requirement of the industry, or a legal requirement to do business with another company
  • Data protection increases customer confidence

Who will be involved in the Pen test?

  1. Management and authorized technical leaders of the company.
  2. The internal IT teams.
  3. The external penetration testing company.

Ask these questions before you start the Pen Test

Our experience testing over 1000+ application and 500+ networks. Based on their experience, they recommend asking and discussing the questions below. The details should be agreed upon by your team and the penetration testing team before commencing the tests.

  1. Will the test include DoS, DDoS or Brute forcing?
  2. How will the security team perform the intrusive test?
  3. Will the test team exploit vulnerabilities they find or just identify them?
  4. How long will it take to perform the pen test?
  5. What will be included in the report? If possible, ask for drafts or interim reports for longer engagements.
  6. Will there be regular meetings to discuss test progress and concerns?
  7. Will they provide an escalation matrix for both teams?
  8. When will they notify all stakeholders regarding the test and get necessary approvals?
  9. Will there be legal documentation between stakeholders and test team?

How should you prepare for the Pen Test?

If you plan to run a penetration test on your IT system, it’s important that you, your IT team, and staff prepare for it. It’s possible to prepare for a pen test in a few hours, but it helps if you know what to do. Here are 6 ways your company can prepare for a Pen test –

  1. Identify and communicate your scope and objectives with the security professionals conducting your pen test
    Prepare an inventory of your technology assets and assign values to each based on business impact. This will help you to identify and prioritize the assets that should be tested. It would be ideal to discuss the scope with the penetration testing company and/or compliance teams.Spend time with the IT team and security testing company and create a concise and realistic project description with objectives and expectations. For example, do you want to test your company’s ability to detect intrusion attempts? Or see how well your IT team responds to a possible breach? Make these goals clear to the IT Team and penetration testing company.
  2. Decide on the best time to conduct the test
    Pen testing is a time-sensitive process and can take longer thank expected if issues arise. It’s best to run this test during a time of low business activity. Depending on the business, weekends might be ideal to perform this exercise.
  3. Backup your data 
    Your IT team should make a backup of all configurations, data, and codes before the test begins. It’s possible that the pen test may cause a system to crash or data to be lost. If this happens, the data can be restored to pre-test configurations. Your internal IT or support team should be readily available to resolve technical issues with the testing company during the testing phase.
  4. Ensure that your internal IT team is available
    Your internal IT team or support team should be readily available to resolve technical issues with the asset during the testing phase.
  5. Explain what you want to see in the report
    • Do you want to see an Executive summary that describes the work done in a way that management can understand and act on?
    • Do you require mapping of the findings to a regulatory, or compliance standard like PCIDSS, HIPAA, HITRUST, etc.?
    • Do you want to see a detailed record of the findings of the test?
    • Would you like any specific metrics to be included in the final risk rating of the findings?
  6. Mitigating common vulnerabilities
    Security is an ongoing process, so it is helpful to mitigate common vulnerabilities before you go ahead with the test to ensure optimal results. More than 67% of detected vulnerabilities are common and can be mitigated through basic security measures.
    • Applying missing patches
    • Restrict access to management or administrative interfaces
    • Disable insecure encryption standards and ciphers
    • Decommission obsolete software, services, and systems
    • Ensure password strength is maintained across all assets (network and application)
    • Validate all inputs on the server side

What is included in the Pen Test report?

A detailed report that includes:

  • The goals and scope of the penetration test
  • The methodology used by the security company
  • The timeline of the penetration test.
  • Detailed list of vulnerabilities, risk ratings, and evidence
  • Recommendations to improve overall security

Penetration testing is not a one-time activity. In 2018, there were 16,412 common vulnerabilities and exploits released, which is why penetration testing and vulnerability assessments need to be an ongoing process as most attackers leverage known exploits and vulnerabilities to attack organizations. It is important to ensure that penetration testing is a part of the development cycle and at a minimum be carried out before every major release if not biannually.

Accorian is a full-service cybersecurity partner. We can help protect your data, monitor your networks, conduct penetration tests and provide anti-phishing training for your employees. We have extensive experience in conducting penetration tests & vulnerability scanning for all applications (Web & Mobile), APIs, networks, and social engineering assessments.

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took

    Ready to Start?



      Download Case study




        Download Guide




        Human Resources Director

        Posted On: 09 May, 2022

        Drop your CVs to joinourteam@accorian.com

          Interested Position

          First Name

          Last Name

          Email

          Total Experience

          Mobile Number

          Upload Resume