HackTrickstip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Muhtasari wa SAML
Security Assertion Markup Language (SAML) inaruhusu watoa huduma za utambulisho (IdP) kutumika kwa kutuma ithibati za mamlaka kwa watoa huduma (SP), ikirahisisha kuingia kwa mara moja (SSO). Njia hii inarahisisha usimamizi wa kuingia kwa mara nyingi kwa kuruhusu seti moja ya ithibati kutumika kwenye tovuti nyingi. Inatumia XML kwa mawasiliano ya viwango kati ya IdPs na SPs, ikihusisha uthibitishaji wa utambulisho wa mtumiaji na mamlaka ya huduma.
Ulinganisho kati ya SAML na OAuth
- SAML imeandaliwa kutoa udhibiti mkubwa kwa makampuni juu ya usalama wa kuingia kwa SSO.
- OAuth imeundwa kuwa rafiki zaidi kwa simu, inatumia JSON, na ni juhudi ya ushirikiano kutoka kwa kampuni kama Google na Twitter.
Mchakato wa Uthibitishaji wa SAML
Kwa maelezo zaidi angalia chapisho kamili kutoka https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/. Huu ni muhtasari:
Mchakato wa uthibitishaji wa SAML unajumuisha hatua kadhaa, kama inavyoonyeshwa katika mchoro:
- Jaribio la Kupata Rasilimali: Mtumiaji anajaribu kupata rasilimali iliyo salama.
- Uundaji wa Ombi la SAML: SP haimtambui mtumiaji na unaunda Ombi la SAML.
- Kuelekeza kwa IdP: Mtumiaji anapelekwa kwa IdP, huku Ombi la SAML likipitia kivinjari cha mtumiaji.
- IdP Inapokea Ombi: IdP inapokea Ombi la SAML.
- Uthibitishaji katika IdP: IdP inathibitisha mtumiaji.
- Uthibitishaji wa Mtumiaji: IdP inathibitisha uhalali wa mtumiaji kupata rasilimali iliyotakiwa.
- Uundaji wa Jibu la SAML: IdP inaunda Jibu la SAML lililo na ithibati muhimu.
- Kuelekeza kwa URL ya ACS ya SP: Mtumiaji anapelekwa kwa URL ya Huduma ya Kuthibitisha Madai (ACS) ya SP.
- Uthibitishaji wa Jibu la SAML: ACS inathibitisha Jibu la SAML.
- Ruhusa ya Kupata Rasilimali: Ruhusa ya kupata rasilimali iliyotakiwa inatolewa.
Mfano wa Ombi la SAML
Fikiria hali ambapo mtumiaji anahitaji kupata rasilimali salama kwenye https://shibdemo-sp1.test.edu/secure/. SP inatambua ukosefu wa uthibitishaji na inaunda Ombi la SAML:
GET /secure/ HTTP/1.1
Host: shibdemo-sp1.test.edu
...
Ombi la SAML la msingi linaonekana kama hili:
<?xml version="1.0"?>
<samlp:AuthnRequest ...
</samlp:AuthnRequest>
Key elements of this request include:
- AssertionConsumerServiceURL: Inabainisha mahali ambapo IdP inapaswa kutuma SAML Response baada ya uthibitisho.
- Destination: Anwani ya IdP ambayo ombi linatumwa.
- ProtocolBinding: Inaelezea njia ya usafirishaji wa ujumbe wa protokali ya SAML.
- saml:Issuer: Inatambua chombo kilichozindua ombi hilo.
Following the SAML Request generation, the SP responds with a 302 redirect, directing the browser to the IdP with the SAML Request encoded in the HTTP response's Location header. The RelayState parameter maintains the state information throughout the transaction, ensuring the SP recognizes the initial resource request upon receiving the SAML Response. The SAMLRequest parameter is a compressed and encoded version of the raw XML snippet, utilizing Deflate compression and base64 encoding.
SAML Response Example
You can find a full SAML response here. The key components of the response include:
- ds:Signature: Sehemu hii, ni Saini ya XML, inahakikisha uadilifu na uthibitisho wa mtoa dhamana wa uthibitisho. SAML response katika mfano ina vipengele viwili vya
ds:Signature, kimoja kwa ujumbe na kingine kwa uthibitisho. - saml:Assertion: Sehemu hii ina habari kuhusu utambulisho wa mtumiaji na labda sifa nyingine.
- saml:Subject: Inaelezea somo kuu la taarifa zote katika uthibitisho.
- saml:StatusCode: Inawakilisha hali ya operesheni katika majibu ya ombi husika.
- saml:Conditions: Inatoa maelezo kuhusu masharti kama muda wa uhalali wa Uthibitisho na Mtoa Huduma aliyetajwa.
- saml:AuthnStatement: Inathibitisha kwamba IdP ilithibitisha somo la Uthibitisho.
- saml:AttributeStatement: Inashikilia sifa zinazofafanua somo la Uthibitisho.
Following the SAML Response, the process includes a 302 redirect from the IdP. This leads to a POST request to the Service Provider's Assertion Consumer Service (ACS) URL. The POST request includes RelayState and SAMLResponse parameters. The ACS is responsible for processing and validating the SAML Response.
After the POST request is received and the SAML Response is validated, access is granted to the protected resource initially requested by the user. This is illustrated with a GET request to the /secure/ endpoint and a 200 OK response, indicating successful access to the resource.
XML Signatures
XML Signatures are versatile, capable of signing an entire XML tree or specific elements within it. They can be applied to any XML Object, not just Response elements. Below are the key types of XML Signatures:
Basic Structure of XML Signature
An XML Signature consists of essential elements as shown:
<Signature>
<SignedInfo>
<CanonicalizationMethod />
<SignatureMethod />
<Reference>
<Transforms />
<DigestMethod />
<DigestValue />
</Reference>
...
</SignedInfo>
<SignatureValue />
<KeyInfo />
<Object />
</Signature>
Kila kipengele cha Reference kinamaanisha rasilimali maalum inayosainiwa, inayoweza kutambulika kwa sifa ya URI.
Aina za Saini za XML
- Saini ya Enveloped: Aina hii ya saini ni kizazi cha rasilimali inayosainiwa, ikimaanisha saini inapatikana ndani ya muundo sawa wa XML kama yaliyomo yaliyosainiwa.
Mfano:
<samlp:Response ... ID="..." ... >
...
<ds:Signature>
<ds:SignedInfo>
...
<ds:Reference URI="#...">
...
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
...
</samlp:Response>
Katika saini ya enveloped, kipengele cha ds:Transform kinabainisha kwamba kimefungwa kupitia algorithimu ya enveloped-signature.
- Saini ya Enveloping: Ikilinganishwa na saini za enveloped, saini za enveloping zinapakia rasilimali inayosainiwa.
Mfano:
<ds:Signature>
<ds:SignedInfo>
...
<ds:Reference URI="#...">
...
</ds:Reference>
</ds:SignedInfo>
<samlp:Response ... ID="..." ... >
...
</samlp:Response>
</ds:Signature>
- Saini ya Detached: Aina hii ni tofauti na yaliyomo inayosainiwa. Saini na yaliyomo yapo kwa uhuru, lakini kiungo kati ya viwili kinahifadhiwa.
Mfano:
<samlp:Response ... ID="..." ... >
...
</samlp:Response>
<ds:Signature>
<ds:SignedInfo>
...
<ds:Reference URI="#...">
...
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
Kwa kumalizia, Saini za XML zinatoa njia za kubadilika za kulinda hati za XML, kila aina ikihudumia mahitaji tofauti ya muundo na usalama.
Marejeo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.