Skip to content

Commit 962f68a

Browse files
author
Deepak Prabhakara
authored
added test for digest value comment attack (#801)
1 parent 5e40a6c commit 962f68a

2 files changed

Lines changed: 80 additions & 0 deletions

File tree

test/assets/digestValueComment.xml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
2+
<saml2p:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://poc.securesaml.com/sp/acs" ID="_AYKNPZEFDJRGCMTQVXUB" IssueInstant="2024-12-08T09:42:45Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://poc.securesaml.com</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ALYCIHSXTDVFJBOENWUP" IssueInstant="2024-12-08T09:42:45Z" Version="2.0"><saml2:Issuer>https://poc.securesaml.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
3+
<ds:SignedInfo>
4+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
5+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
6+
<ds:Reference URI="#_ALYCIHSXTDVFJBOENWUP">
7+
<ds:Transforms>
8+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
9+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
10+
</ds:Transform>
11+
</ds:Transforms>
12+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
13+
<ds:DigestValue><!--cLtLfGPdSkReBiPfeSvPHfiGv3kL+nWUVdxffwLZIOg=-->9gGrXV3vDzvaWII856hziPBYAb2y2Mf1fM6cRjU+5A4=</ds:DigestValue>
14+
</ds:Reference>
15+
</ds:SignedInfo>
16+
<ds:SignatureValue>dRTHoRSyjuFtdqnw7jnafFNpK/bDgqZ/1CFMZ5cvt1hX91AmHEQ0ne/Eg4yBbI4GyBMte52EUZu3Wa8ECqWDpKSaEFWSqP6xt8ADkcCKcg3NF5AljKb2xHsta5GLvvp2PVQKvhiZMTM8sU2yvySfrprYS61xFCWctYjfsgh3jGPLNJnoFf3Si68zUr9mJt2exlVZ9ZTWJHm6lSRLS1Xmp1noGnGjrK5nCl8TMki/qA77d13ZEkO0v232d2oGD5ckzfjpA4SBW17g8Z1j+QKlfaiij/E4m0z0yATQ8ZoLVAXdY5mnS+Iw7j2zJZnqHdp29z/MiiuZdMfrg8+lIHSaxg==</ds:SignatureValue>
17+
<ds:KeyInfo>
18+
<ds:X509Data>
19+
<ds:X509Certificate>MIIDzzCCAregAwIBAgIUMZMb3dfDNPcYK9rYUCz6U/Y/vdwwDQYJKoZIhvcN
20+
AQELBQAwdzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMREwDwYDVQQH
21+
DAhMb2NhdGlvbjEVMBMGA1UECgwMT3JnYW5pemF0aW9uMREwDwYDVQQLDAhP
22+
cmcgVW5pdDEbMBkGA1UEAwwScG9jLnNlY3VyZXNhbWwuY29tMB4XDTI0MTEy
23+
ODA1NDYyN1oXDTM0MTEyNjA1NDYyN1owdzELMAkGA1UEBhMCVVMxDjAMBgNV
24+
BAgMBVN0YXRlMREwDwYDVQQHDAhMb2NhdGlvbjEVMBMGA1UECgwMT3JnYW5p
25+
emF0aW9uMREwDwYDVQQLDAhPcmcgVW5pdDEbMBkGA1UEAwwScG9jLnNlY3Vy
26+
ZXNhbWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArBx4
27+
nG94nZJvXMSWkkJMxWMTY5YS53MegLD/DOMgM5n5tXBRewAgFkEdL6tclvqK
28+
EP80yc5N/KSdGZrbwD5oKhw4+4+GTpRSSoleFLhSYr0DZvTMvFHMgB45SddU
29+
A3DkcI0ZSF+RExZQhMypYxNjEMkKL5EJDh7d+Xt9FCVQ1GKjVRI12jeXOvTQ
30+
TOefPaz314aFBJ0XfqP3tl08jJAWC2kOgi9vB43Xu7u//FgubRifhwcVkzFt
31+
WLdDJSm/Q3qHkV8QDb4TL54dGHdXUP8wo0msqt2WXGZ691VYrRXw8dYmthl7
32+
KeVwcBsUUbUr2jA+Ia2hxnbBTfPY2m9ZfKEBUQIDAQABo1MwUTAdBgNVHQ4E
33+
FgQUknvBAHKXFwZjDB0rSvTGi2e/7n0wHwYDVR0jBBgwFoAUknvBAHKXFwZj
34+
DB0rSvTGi2e/7n0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
35+
AQEAj9BFFl9jSvmR/3GipWuBAC84jEdEzLk6o8AgqZGdBABFAK3TURlQLTli
36+
Nj17zqOlr3xHBorX9iCk46IZZ5ARjjjwzQZ5mzGsMYp+LPlC+w9G1AsqwXCL
37+
619+JQ5ORHN7kMHgQYIzkKe8FRa0NjBAl0FIwCe0DWGrbuNrQB5p5h/77TTF
38+
N+/ESjVbK0m/ubsl4tBnDqR3aq7KiBNr0e1yTF17Gg5iHc1ofINzq5i30/4v
39+
GGw0ohtr4ihg6J3hdwUIVnRknfuN3tE80jSF4e1LRojlyFoQXcg4emXq0Jn8
40+
lj6sw9dhQDq19MYaXchAuJMkWmXwt9e/CaWm7JRyuUgBcg==
41+
</ds:X509Certificate>
42+
</ds:X509Data>
43+
</ds:KeyInfo>
44+
</ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">captured@anyuser.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2024-12-08T10:02:45Z" Recipient="https://poc.securesaml.com/sp/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2024-12-08T09:42:45Z" NotOnOrAfter="2024-12-08T10:02:45Z"><saml2:AudienceRestriction><saml2:Audience>https://poc.securesaml.com/sp/acs</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2024-12-08T09:42:45Z" SessionIndex="_6f7e3b62751ed5bf0adab64936da1e67"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>

test/lib/saml20.response.spec.ts

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ import { validate } from '../../lib/response';
33
import fs from 'fs';
44

55
// Tests Configuration
6+
const digestValueComment = fs.readFileSync('./test/assets/digestValueComment.xml').toString();
67
const validResponse = fs.readFileSync('./test/assets/saml20.validResponse.xml').toString();
78
const validResponseNoIRT = fs.readFileSync('./test/assets/saml20.validResponse-noirt.xml').toString();
89
const validResponseUnsanitized = fs
@@ -129,4 +130,39 @@ describe('lib.saml20.response', function () {
129130
assert.strictEqual(result, 'Invalid InResponseTo.');
130131
}
131132
});
133+
134+
it('Should fail with invalid signature', async function () {
135+
try {
136+
await validate(digestValueComment, {
137+
publicKey: `MIIDzzCCAregAwIBAgIUMZMb3dfDNPcYK9rYUCz6U/Y/vdwwDQYJKoZIhvcN
138+
AQELBQAwdzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMREwDwYDVQQH
139+
DAhMb2NhdGlvbjEVMBMGA1UECgwMT3JnYW5pemF0aW9uMREwDwYDVQQLDAhP
140+
cmcgVW5pdDEbMBkGA1UEAwwScG9jLnNlY3VyZXNhbWwuY29tMB4XDTI0MTEy
141+
ODA1NDYyN1oXDTM0MTEyNjA1NDYyN1owdzELMAkGA1UEBhMCVVMxDjAMBgNV
142+
BAgMBVN0YXRlMREwDwYDVQQHDAhMb2NhdGlvbjEVMBMGA1UECgwMT3JnYW5p
143+
emF0aW9uMREwDwYDVQQLDAhPcmcgVW5pdDEbMBkGA1UEAwwScG9jLnNlY3Vy
144+
ZXNhbWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArBx4
145+
nG94nZJvXMSWkkJMxWMTY5YS53MegLD/DOMgM5n5tXBRewAgFkEdL6tclvqK
146+
EP80yc5N/KSdGZrbwD5oKhw4+4+GTpRSSoleFLhSYr0DZvTMvFHMgB45SddU
147+
A3DkcI0ZSF+RExZQhMypYxNjEMkKL5EJDh7d+Xt9FCVQ1GKjVRI12jeXOvTQ
148+
TOefPaz314aFBJ0XfqP3tl08jJAWC2kOgi9vB43Xu7u//FgubRifhwcVkzFt
149+
WLdDJSm/Q3qHkV8QDb4TL54dGHdXUP8wo0msqt2WXGZ691VYrRXw8dYmthl7
150+
KeVwcBsUUbUr2jA+Ia2hxnbBTfPY2m9ZfKEBUQIDAQABo1MwUTAdBgNVHQ4E
151+
FgQUknvBAHKXFwZjDB0rSvTGi2e/7n0wHwYDVR0jBBgwFoAUknvBAHKXFwZj
152+
DB0rSvTGi2e/7n0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
153+
AQEAj9BFFl9jSvmR/3GipWuBAC84jEdEzLk6o8AgqZGdBABFAK3TURlQLTli
154+
Nj17zqOlr3xHBorX9iCk46IZZ5ARjjjwzQZ5mzGsMYp+LPlC+w9G1AsqwXCL
155+
619+JQ5ORHN7kMHgQYIzkKe8FRa0NjBAl0FIwCe0DWGrbuNrQB5p5h/77TTF
156+
N+/ESjVbK0m/ubsl4tBnDqR3aq7KiBNr0e1yTF17Gg5iHc1ofINzq5i30/4v
157+
GGw0ohtr4ihg6J3hdwUIVnRknfuN3tE80jSF4e1LRojlyFoQXcg4emXq0Jn8
158+
lj6sw9dhQDq19MYaXchAuJMkWmXwt9e/CaWm7JRyuUgBcg==`,
159+
audience: 'https://poc.securesaml.com/sp/acs',
160+
bypassExpiration: true,
161+
});
162+
} catch (error) {
163+
const result = (error as Error).message;
164+
console.log('result:', result);
165+
assert.strictEqual(result, 'Invalid assertion signature.');
166+
}
167+
});
132168
});

0 commit comments

Comments
 (0)