11:35 a.m.
I've been looking at how/if
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-impl…
affects pyFF or pyXMLSecurity.
First some basic facts/observations:
- pyFF deals with SAML metadata and not SAML messages so
the vuln described by the DUO team doesn't apply to pyFF.
- its easy to imagine SAML-metadata based attacks that
would be similar to this (if perhaps more difficult in
practice).
- pyXMLSecurity is is the default choice in pyFF but
not the default choice in pySAML2 for xml signature and
verification.
Ever since the wrapping attacks that came out a few years
ago pyXMLSecurity has taken the position that the library
should only return a /processed/ reference from validation.
The xmlsec.verfied function does precisely this and I
have done some initial unit-tests that seem to indicate
that it does so correctly - i.e the references returned
by xmlsec.verified do not contain in-text comments unless
#WithComment c14 method is used. However these are early
results and I'll need to do more poking around to be sure.
There are of course ways to shoot yourself in the foot
anyway. For instance if your code does
xml = parse_xml(some_text)
if xmlsec.verify(xml):
use_bits_from(xml)
Then you're up the creek without a paddle. Instead you
need to do
xml = parse_xml(some_text)
verified_xml = xmlsec.verified(xml)
if verified_xml:
use_bits_from(verified_xml)
Thats it for now... more later.
Cheers Leif
Cheers Leif