This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 1.4.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 3ba98de76d164c2eb4d98e019230792bc63c70e8 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Thu May 17 17:22:35 2018 +0100 Adding entity expansion attacks for SAML SSO --- systests/tests/pom.xml | 5 ++ .../cxf/fediz/integrationtests/AbstractTests.java | 71 ++++++++++++++++------ 2 files changed, 59 insertions(+), 17 deletions(-) diff --git a/systests/tests/pom.xml b/systests/tests/pom.xml index 57c2486..34d3561 100644 --- a/systests/tests/pom.xml +++ b/systests/tests/pom.xml @@ -45,6 +45,11 @@ <version>${project.version}</version> </dependency> <dependency> + <groupId>org.apache.cxf</groupId> + <artifactId>cxf-core</artifactId> + <version>${cxf.version}</version> + </dependency> + <dependency> <groupId>net.sourceforge.htmlunit</groupId> <artifactId>htmlunit</artifactId> <version>${htmlunit.version}</version> diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java index 8cb8abf..c5f2425 100644 --- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java +++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java @@ -19,6 +19,9 @@ package org.apache.cxf.fediz.integrationtests; +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.io.InputStreamReader; import java.net.URL; import java.net.URLEncoder; import java.util.ArrayList; @@ -41,11 +44,14 @@ import com.gargoylesoftware.htmlunit.util.NameValuePair; import com.gargoylesoftware.htmlunit.xml.XmlPage; import org.apache.commons.io.IOUtils; +import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.fediz.core.ClaimTypes; import org.apache.cxf.fediz.core.FederationConstants; import org.apache.cxf.fediz.core.util.DOMUtils; +import org.apache.cxf.staxutils.StaxUtils; import org.apache.http.auth.AuthScope; import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.wss4j.common.util.DOM2Writer; import org.apache.wss4j.dom.engine.WSSConfig; import org.apache.xml.security.keys.KeyInfo; import org.apache.xml.security.signature.XMLSignature; @@ -736,10 +742,6 @@ public abstract class AbstractTests { @Test public void testEntityExpansionAttack() throws Exception { - if (!isWSFederation()) { - return; - } - String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; String user = "alice"; String password = "ecila"; @@ -765,18 +767,37 @@ public abstract class AbstractTests { String reference = "&m;"; for (DomElement result : results) { - if ("wresult".equals(result.getAttributeNS(null, "name"))) { + if (getTokenName().equals(result.getAttributeNS(null, "name"))) { // Now modify the Signature String value = result.getAttributeNS(null, "value"); - value = entity + value; - value = value.replace("alice", reference); - result.setAttributeNS(null, "value", value); + + if (isWSFederation()) { + value = entity + value; + value = value.replace("alice", reference); + result.setAttributeNS(null, "value", value); + } else { + // Decode response + byte[] deflatedToken = Base64Utility.decode(value); + InputStream inputStream = new ByteArrayInputStream(deflatedToken); + + Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8")); + + // Modify SignatureValue to include the entity + String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#"; + Node signatureValue = + responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0); + signatureValue.setTextContent(reference + signatureValue.getTextContent()); + + // Re-encode response + String responseMessage = DOM2Writer.nodeToString(responseDoc); + result.setAttributeNS(null, "value", Base64Utility.encode((entity + responseMessage).getBytes())); + } } } // Invoke back on the RP - final HtmlForm form = idpPage.getFormByName("signinresponseform"); + final HtmlForm form = idpPage.getFormByName(getLoginFormName()); final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); try { @@ -792,9 +813,6 @@ public abstract class AbstractTests { @Test public void testEntityExpansionAttack2() throws Exception { - if (!isWSFederation()) { - return; - } String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; String user = "alice"; @@ -822,18 +840,37 @@ public abstract class AbstractTests { String reference = "&m;"; for (DomElement result : results) { - if ("wresult".equals(result.getAttributeNS(null, "name"))) { + if (getTokenName().equals(result.getAttributeNS(null, "name"))) { // Now modify the Signature String value = result.getAttributeNS(null, "value"); - value = entity + value; - value = value.replace("alice", reference); - result.setAttributeNS(null, "value", value); + + if (isWSFederation()) { + value = entity + value; + value = value.replace("alice", reference); + result.setAttributeNS(null, "value", value); + } else { + // Decode response + byte[] deflatedToken = Base64Utility.decode(value); + InputStream inputStream = new ByteArrayInputStream(deflatedToken); + + Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8")); + + // Modify SignatureValue to include the entity + String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#"; + Node signatureValue = + responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0); + signatureValue.setTextContent(reference + signatureValue.getTextContent()); + + // Re-encode response + String responseMessage = DOM2Writer.nodeToString(responseDoc); + result.setAttributeNS(null, "value", Base64Utility.encode((entity + responseMessage).getBytes())); + } } } // Invoke back on the RP - final HtmlForm form = idpPage.getFormByName("signinresponseform"); + final HtmlForm form = idpPage.getFormByName(getLoginFormName()); final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); try { -- To stop receiving notification emails like this one, please contact cohei...@apache.org.