Skip to content

Int 275#30

Merged
iguanajazz merged 8 commits intomasterfrom
INT-275
Jun 4, 2015
Merged

Int 275#30
iguanajazz merged 8 commits intomasterfrom
INT-275

Conversation

@iguanajazz
Copy link
Copy Markdown
Contributor

@iguanajazz iguanajazz commented Jun 3, 2015

Status

READY

Migrations

NO

Description

Add security to avoid user impersonation / authentication bypass

Deploy Notes

Configure files:
sample/src/main/webapp/index.jsp
set AssertionConsumerServiceUrl if is necessary
set Issuer if is necessary
set IdpSsoTargetUrl with your OneLogin SAML app information

sample/src/main/webapp/consume.jsp
set certificateS with your app X.509 Certificate

Steps to Test or Reproduce

  1. Install the core code into your local Maven repository with:
    mvn install
  2. Run the web app sample which depends on this code:
    cd sample
    mvn jetty:run
  3. Navigate to http://localhost:8080
  4. Attempt SSO to the toolkit, after authentication it will make a final POST containing the SAML data, similar to below. (You will have to base64 decode the data, then you will see the XML structure below): http://pentestadfs.pentest.local/adfs/services/trusthttp://pentestadfs.pentest.local/adfs/services/trusthdMwdq4IaOlYxj9IWdXdMqsmcw1TS9LeBPWZ392BJiU=lK2csDXHq462wPEjWKFNZXYz4woFsfJUjEGk1VpC6imOTGwGWpK1dmqex3niZnQbF7XW/upFQrKbMht7I4UWrQkgmFx8cMnkk7J6X8XyHQVzt7QRltpZ1pQC8D47qzV5xkZJLWMooDNRz9lRJOXhSignatureValueOUDE1epHFLzW7vGajqmq36eHQiy9GEG4GVcCn8CDkEWJy1GGRz1iVx8ySh/GBLOYkXYaRgNCAviSigValueUlSkrNbEOEJg8g1LsTB5LilMp1CSyxSPXXHrx+ZA6bnLHJzpz273cj7/SL4O+M8GXI3aqXB76DLCSSKaBWL8wAgXL5uWWRVKgSA==Base64EncodedCertData==testuser2https://ptest2.uat.example.com/authgatewaytestuser1@pentest.localTest User1urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  5. insert a misspelled assertion with a correct xmlns. This must be in front of the valid assertion. The test below inserts an assertion with a NameID of "leavey" instead of the valid assertion with a NameID of testuser1. Search for "Assetion" in the data below, this is the misspelled assertion tag. http://pentestadfs.pentest.local/adfs/services/trusthttp://pentestadfs.pentest.local/adfs/services/trustleaveyhttps://ptest2.uat.example.com/authgatewaytestuser1@pentest.localTest User1urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransporthttp://pentestadfs.pentest.local/adfs/services/trusthdMwdq4IaOlYxj9IWdXdMqsmcw1TS9LeBPWZ392BJiU=lK2csDXHq462wPEjWKFNZXYz4woFsfJUjEGk1VpC6imOTGwGWpK1dmqex3niZnQbF7XW/upFQrKbMht7I4UWrQkgmFx8cMnkk7J6X8XyHQVzt7QRltpZ1pQC8D47qzV5xkZJLWMooDNRz9lRJOXh8nPel4zraOUDE1epHFLzW7vGajqmqSignatureValue1GGRz1iVx8ySh/GBLOYkXYaRgNCAvi1uQE93r4balUlSkrNbEOEJg8g1LsTB5LilMp1CSyxSPXXHrx+ZA6bnLHJzpz273cj7/SL4O+M8GXI3aqXB76DLCSSKaBWL8wAgXL5uWWRVKgSA==Base64EncodedCert==testuser1https://ptest2.uat.example.com/authgatewaytestuser1@pentest.localTest User1urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  6. An error page must be shown.

pitbulk
pitbulk reviewed Jun 3, 2015
View reviewed changes
Comment thread src/main/java/com/onelogin/saml/Response.java Outdated
Copy link
Copy Markdown
Contributor

@pitbulk pitbulk Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the spaces

@pitbulk
Copy link
Copy Markdown
Contributor

pitbulk commented Jun 4, 2015

🐠

Keep adding validations! we want this toolkit as secure as the php/python/ruby toolkits! gogogo!

iguanajazz added a commit that referenced this pull request Jun 4, 2015
@iguanajazz
Merge pull request #30 from onelogin/INT-275
4a75209 
Int 275
@iguanajazz iguanajazz merged commit 4a75209 into master Jun 4, 2015
@iguanajazz iguanajazz mentioned this pull request Jul 6, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iguanajazz @pitbulk