This page contains complementary material related to the following paper:
- Title: Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
- Authors: Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
- DOI: 10.1007/978-3-030-64455-0_5
Abstract
Identity Management (IdM) solutions are increasingly important for digital infrastructures of both enterprises and public administrations. Their security is a mandatory pre-requisite for building trust in current and future digital ecosystems. Unfortunately, not only their secure deployment but even their usage are non-trivial activities that require a good level of security awareness. In order to test whether known exploits can be reproduced in different environments, better understand their effects and facilitate the discovery of new vulnerabilities, we need to have a reliable testbed. For this, we present Micro-Id-Gym which abstractly supports two main activities: the creation of sandboxes with an IdM protocol deployment and the pentesting of IdM protocol deployments in the wild or in the laboratory (on the created sandboxes).Complementary Material
SAML Tests
In Section 3.1 of the paper we mentioned a list of SAML tests. The table below reports all the tests that the Pentesting tool perform in SAML implementations.
| Security Test | Prot. | Provider | P/A | Description | Mitigation |
|---|---|---|---|---|---|
| Missing Service Provider | S | IdP | P | Check whether the Issuer element is present in the SAML request. | Configure the IdP to accept only SAML request with Issuer attribute. |
| Missing Audience element | S | IdP | P | Check whether the Audience element is present in the SAML assertion. | Configure the IdP to include Audience element in the SAML assertion. |
| Missing OneTimeUse attribute | S | IdP | P | Check whether OneTimeUse attribute is present in the SAML assertion. | Configure the IdP to include OneTimeUse attribute in the SAML assertion. |
| Missing NotOnOrAfter attribute | S | IdP | P | Check whether NotOnOrAfter attribute is present in the SAML assertion. | Configure the IdP to include NotOnOrAfter attribute in the SAML assertion. |
| Missing InResponseTo attribute | S | IdP | P | Check whether InResponseTo attribute is present in the SAML assertion. | Configure the IdP to include InResponseTo attribute in the SAML assertion. |
| Missing Recipient in SubjectConfirmationData | S | IdP | P | Check whether Recipient attribute is present in the SAML assertion. | Configure the IdP to include Recipient attribute in SubjectConfirmationData element of SAML assertion. |
| Missing check on Recipient element | S | SP | P | Check whether the Recipient attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with Recipient attribute. |
| Missing check on the InResponseTo attribute | S | SP | P | Check whether the InResponseTo attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with InResponseTo attribute. |
| Missing check on NotOnOrAfter attribute | S | SP | P | Check whether the NotOnOrAfter attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with NotOnOrAfter attribute. |
| Missing check on Destination element | S | SP | P | Check whether the Destination element is present in the SAML assertion. | Configure the Client to accept only SAML assertions with Destination element. |
| Missing OneTimeUse attribute | S | SP | P | Check whether the OneTimeUse attribute is present in the SAML assertion. | Configure the Client to accept only SAML assertions with OneTimeUse attribute. |
| Missing check on Audience element | S | SP | P | Check whether the Audience element is present in the SAML assertion. | Configure the Client to accept only SAML assertions with Audience element. |
| Alteration of the Relay State parameter | S | SP | A | Changes value of Relay State parameter. | Configure the Sanitize the value of Relay State parameter. |
| Session Fixation | S | SP | A | Check whether the implementation suffers the session vulnerability. | Handle properly the user sessions. |
| Missing check on Canonicalization algorithm | S | Any | P | Check if the Canonicalization algorithm used by the XML parser encode also comments. | Change XML parser Canonicalization algorithm to one that includes comments. |
Tool
Micro-Id-Gym offers on the one hand (in the laboratory) an easy way to configure the production environment in a sandbox where pentesters can develop hands-on experiences on how IdM solutions work, by performing attacks with high impacts and better understand the underlying security issues. On the other hand (in the wild) a set of pentesting tools for the automatic security analysis of IdM protocols are provided.
Demonstration Video
Download
- Click here to download the tool.
