OWASP AppSec 2018 Review

OWASP AppSec 2018

To give a quick background, the Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Since 2015, they have been organizing an annual event called AppSec that brings together numerous keynote speakers and experts in the field of application security.

A week ago, I had the privilege of attending the AppSec 2018 security conference in San Jose, California.  The conference spanned a total of 2 days and included a pretty diverse assortment of speakers touching on a wide variety of topics ranging from Deserialization Vulnerability Remediation with Automated Gadget Chain Discovery, Insecurities in Single Sign On Implementations using SAML, and many more.

The more technical talks are suitable for pen-testers and ethical hackers, developers and security engineers, and the DevOps practices and GRC/risk level talks for managers and CISOs.

A more detailed list of the program and speakers can be found at the link below:


The program is very diverse as to what it offers, but I am technical guy and like technical talks that demo proof of concept exploits and attack methodologies in detail. That being said, from all the very talented speakers that participated in the conference there was one speaker and topic that caught my eye:

Identity Theft: Attacks on SSO Systems by Kelby Ludwig.

During my engagements, I frequently encounter SSO implementations in various organizations and this seemed like something I could possibly leverage in my day to day activities as a pen-tester. Kelby primarily talked about a vulnerability he discovered which has affected multiple independent SAML implementations. These issues he discovered were included in many libraries which in turn could be a potential threat for many SAML/SSO implementations.

He stated that the root cause of this vulnerability is the way various SAML implementations traverse the XML DOM after validating signatures.  The vulnerability could allow an attacker to tamper with signed XML documents by modifying attributes (such as an authenticated user attribute) without invalidating the signature. This allows an authenticated user to potentially perform a privilege escalation attack and access services and resources as an entirely different user.

Simply put, the issues lies with how the XML libraries process comments and performs canonicalization on the values before signing the document.

Vulnerable libraries and packages include:

OneLogin - python-saml (CVE-2017-11427); OneLogin - ruby-saml (CVE-2017-11428); Clever - saml2-js (CVE-2017-11429); OmniAuth-SAML (CVE-2017-11430); Shibboleth (CVE-2018-0489); and Duo Network Gateway (CVE-2018-7340).

l appreciate the effort and research done by Kelby and as a Security Researcher found great value in attending his talk.  My takeaway is the more and more SSO integrations enterprises with SAML at their core it is essential to keep eye on how various implementations handle and process their user supplied data without invalidating the signature of the response thus compromising the authenticity.

Thanks AppSec 2018!

- Humberto Cabrera, Senior Security Consultant

Fabrice Mouret