ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5679/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

98 lines
4.0 KiB
Plaintext
Raw Blame History

== Why is this an issue?
In 2018, Duo Security found a new vulnerability class that affects SAML-based single sign-on (SSO) systems and this led to the following vulnerabilities being disclosed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11427[CVE-2017-11427], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11428[CVE-2017-11428], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429[CVE-2017-11429], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11430[CVE-2017-11430], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0489[CVE-2018-0489], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7340[CVE-2018-7340].
From a specially crafted ``++<SAMLResponse>++`` file, an attacker having already access to the SAML system with his own account can bypass the authentication mechanism and be authenticated as another user.
This is due to the fact that SAML protocol rely on XML format and how the underlying XML parser interprets XML comments.
If an attacker manage to change the ``++<NameID>++`` field identifying the authenticated user with XML comments, he can exploit the vulnerability.
Here is an example of a potential payload:
----
<SAMLResponse>
[...]
<Subject>
<NameID>admin@domain.com<!---->.evil.com</NameID>
</Subject>
[...]
</SAMLResponse>
----
The attacker will manage to generate a valid <SAMLResponse> content with the account "\admin@domain.com.evil.com". He will modify it with XML comments to finally be authenticated as "\admin@domain.com". To prevent this vulnerability on application using Spring Security SAML relying on OpenSAML2, XML comments should be ignored thanks to the property ``++ignoreComments++`` set to ``++true++``.
=== Noncompliant code example
[source,java]
----
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
public ParserPool parserPool() {
StaticBasicParserPool staticBasicParserPool = new StaticBasicParserPool();
staticBasicParserPool.setIgnoreComments(false); // Noncompliant: comments are not ignored during parsing opening the door to exploit the vulnerability
return staticBasicParserPool;
}
----
[source,java]
----
public ParserPool parserPool() {
BasicParserPool basicParserPool = new BasicParserPool();
basicParserPool.setIgnoreComments(false); // Noncompliant
return basicParserPool;
}
----
=== Compliant solution
[source,java]
----
public ParserPool parserPool() {
return new StaticBasicParserPool(); // Compliant: "ignoreComments" is set to "true" in StaticBasicParserPool constructor
}
----
[source,java]
----
public ParserPool parserPool() {
return new BasicParserPool(); // Compliant: "ignoreComments" is set to "true" in BasicParserPool constructor
}
----
== Resources
* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities
* https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations[Duo Finds SAML Vulnerabilities Affecting Multiple Implementations]
* https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability[Spring Security SAML and this week's SAML Vulnerability]
* https://github.com/spring-projects/spring-security-saml/issues/228[Spring Security SAML: Issue #228]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Change "setIgnoreComments" to "true" or remove the call to "setIgnoreComments" to prevent the authentication bypass.
=== Highlighting
setIgnoreComments(false)
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink