Understanding SAML Auth Replay Protection Vulnerabilities

By /

Listen to this Post

When dealing with SAML authentication, if an application issues new session cookies every time you resend the same SAMLResponse, it may lack replay protection, making it vulnerable to attacks.

Reference Report:

https://lnkd.in/dqWnVnbZ

You Should Know:

1. What is SAML Replay Attack?

A replay attack occurs when an attacker intercepts a valid SAMLResponse and resubmits it to gain unauthorized access. If the server doesn’t validate uniqueness (e.g., via InResponseTo or NotOnOrAfter), the system is vulnerable.

2. Testing for Replay Vulnerabilities

Use Burp Suite or Python to replay SAML responses:

Burp Suite Steps:

1. Capture a SAMLResponse in an authentication flow.

  1. Send it repeatedly to the Assertion Consumer Service (ACS) endpoint.
  2. Check if new sessions are created without invalidating old ones.

Python Script (Replay Test):

import requests

saml_response = "PASTE_SAML_RESPONSE_HERE" 
acs_url = "https://target.com/acs"

for _ in range(5): 
response = requests.post(acs_url, data={"SAMLResponse": saml_response}) 
print(f"Status: {response.status_code}, Session: {response.cookies.get('SESSION_ID')}")

3. Mitigation Techniques

  • Enable Replay Detection: Ensure the IdP checks InResponseTo and NotOnOrAfter.
  • One-Time Use Tokens: Configure the IdP to invalidate used assertions.
  • Logout on Replay: Implement session termination if replay is detected.

Example Apache Config (SAML SP):

<Location /secure> 
AuthType SAML 
SAMLRequireReplayProtection On 
</Location>

4. Linux Command to Monitor SAML Logs

sudo grep "SAMLResponse" /var/log/auth.log | awk '{print $6, $9}'

5. Windows Event Log for SAML Replays

Get-WinEvent -LogName "Security" | Where-Object { $_.Message -like "SAMLReplay" }

What Undercode Say:

SAML replay vulnerabilities are critical in SSO implementations. Always:
– Test for replay flaws using automated tools.
– Enforce time-bound assertions (NotOnOrAfter).
– Monitor logs for repeated SAMLResponse submissions.
– Use WAF rules to block suspicious replays.

Expected Output: A secure SAML implementation that rejects replayed assertions and logs unauthorized attempts.

Related Resources:

References:

Reported By: 0xbartita Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: