rspec/rules/S5679/java/rule.adoc

In 2018, Duo Security found a new vulnerability class that affects SAML-based single sign-on (SSO) systems and this led to the following vulnerabilities being disclosed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11427[CVE-2017-11427], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11428[CVE-2017-11428], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429[CVE-2017-11429], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11430[CVE-2017-11430], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0489[CVE-2018-0489], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7340[CVE-2018-7340].


From a specially crafted ``++<SAMLResponse>++`` file, an attacker having already access to the SAML system with his own account can bypass the authentication mechanism and be authenticated as another user.

This is due to the fact that SAML protocol rely on XML format and how the underlying XML parser interprets XML comments.


If an attacker manage to change the ``++<NameID>++`` field identifying the authenticated user with XML comments, he can exploit the vulnerability.


Here is an example of a potential payload:

----
<SAMLResponse>
  [...]
  <Subject>
    <NameID>admin@domain.com<!---->.evil.com</NameID>
  </Subject>
  [...]
</SAMLResponse>
----

The attacker will manage to generate a valid <SAMLResponse> content with the account "\admin@domain.com.evil.com". He will modify it with XML comments to finally be authenticated as "\admin@domain.com". To prevent this vulnerability on application using Spring Security SAML relying on OpenSAML2, XML comments should be ignored thanks to the property ``++ignoreComments++`` set to ``++true++``.


== Noncompliant Code Example

[source,java]
----
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;

public ParserPool parserPool() {
  StaticBasicParserPool staticBasicParserPool = new StaticBasicParserPool();
  staticBasicParserPool.setIgnoreComments(false); // Noncompliant: comments are not ignored during parsing opening the door to exploit the vulnerability
  return staticBasicParserPool;
}
----

[source,java]
----
public ParserPool parserPool() {
  BasicParserPool basicParserPool = new BasicParserPool();
  basicParserPool.setIgnoreComments(false); // Noncompliant
  return basicParserPool;
}
----


== Compliant Solution

[source,java]
----
public ParserPool parserPool() {
  return new StaticBasicParserPool(); // Compliant: "ignoreComments" is set to "true" in StaticBasicParserPool constructor
}
----

[source,java]
----
public ParserPool parserPool() {
  return new BasicParserPool();  // Compliant: "ignoreComments" is set to "true" in BasicParserPool constructor
}
----


== See

* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities
* https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations[Duo Finds SAML Vulnerabilities Affecting Multiple Implementations]
* https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability[Spring Security SAML and this week's SAML Vulnerability]
* https://github.com/spring-projects/spring-security-saml/issues/228[Spring Security SAML: Issue #228]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

endif::env-github,rspecator-view[]