YoVDO

O'Dea Assertions Untwining the Security of the SAML Protocol

Offered By: nullcon via YouTube

Tags

nullcon Courses Fuzz Testing Courses

Course Description

Overview

Dive deep into the intricacies of SAML protocol security in this 40-minute conference talk from nullcon Goa 2014. Explore the critical role of Security Assertion Markup Language (SAML) in single sign-on (SSO) systems and its importance in exchanging authentication and authorization data. Examine potential vulnerabilities in SAML implementations, including XML signature-related attacks like Signature Exclusion and Signature Wrapping (XSW). Learn about the necessity of secure implementation and fuzz testing of SAML attributes. Discover approaches to asynchronously fuzz SAML assertions for identifying issues in proprietary implementations. Cover topics such as cloud applications, federation, SAML components, web services, transport-level SSL, real-world attacks, and methods for securing SAML against various threats.

Syllabus

Introduction
Cloud Applications
Multiple User Names
What happened
What is SAML
What is Federation
Single Sign On
SAML Components
Who
Sample desertion
Assertions
Request response
Web services
Alternative to Web services
Security of SAML
Authentication
Transport Level SSL
Real Attacks
External Signature
Signature Wrapping Attacks
Stack Overflow
Vulnerabilities
SAML PHP
SAML complications
canonicalization entity expansion
design service attacks
attributes
Securing SAML
Signature Roughing Attacks


Taught by

nullcon

Related Courses

Evaluating Fuzz Testing
Association for Computing Machinery (ACM) via YouTube
Fuzz Smarter, Not Harder - An AFL-Fuzz Primer
Security BSides San Francisco via YouTube
A Practical Guide to Fuzz Testing Embedded Software in a CI Pipeline - Dennis Kengo Oka - Ekoparty 2021: Hardware Hacking Space
Ekoparty Security Conference via YouTube
Google Reimagined a Phone - It Was Our Job to Red Team and Secure It
Black Hat via YouTube
The Next Generation of Windows Exploitation - Attacking the Common Log File System
Black Hat via YouTube