saml-sso-assertion-attacks

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: SAML SSO and Assertion Attacks — Signature Validation, Binding, and Trust Confusion

SKILL: SAML SSO与断言攻击——签名验证、绑定与信任混淆

AI LOAD INSTRUCTION: Use this skill when the target uses SAML-based SSO and you need to validate assertion trust: signature coverage, audience and recipient checks, ACS handling, XML parsing weaknesses, and IdP/SP confusion.

AI加载说明：当目标使用基于SAML的SSO，你需要验证断言信任相关问题时使用本技能：包括签名覆盖范围、受众与接收方检查、ACS处理、XML解析弱点、以及IdP/SP混淆问题。

1. WHEN TO LOAD THIS SKILL

1. 何时加载本技能

Load when:

Enterprise SSO uses SAML requests or responses
You see
```
SAMLRequest
```
,
```
SAMLResponse
```
, XML assertions, or ACS endpoints
Login flows involve an external IdP and browser POST/redirect binding

加载场景：

企业SSO使用SAML请求或响应
你发现了
```
SAMLRequest
```
、
```
SAMLResponse
```
、XML断言或ACS端点
登录流程涉及外部IdP和浏览器POST/重定向绑定

2. HIGH-VALUE MISCONFIGURATION CHECKS

2. 高价值错误配置检查项

Theme	What to Check
signature validation	unsigned assertion accepted, wrong node signed, signature wrapping
audience and recipient	weak `Audience` , `Recipient` , `Destination` , or ACS validation
issuer trust	wrong IdP accepted or multi-tenant issuer confusion
replay and freshness	missing `InResponseTo` , weak `NotBefore` / `NotOnOrAfter` enforcement
account mapping	email-only binding, case folding, unverified attributes
XML parser behavior	XXE-like parser issues or unsafe transforms around SAML documents

主题	检查内容
签名验证	接受未签名断言、签名节点错误、签名封装
受众与接收方	薄弱的 `Audience` 、 `Recipient` 、 `Destination` 或ACS验证
颁发者信任	接受错误的IdP或多租户颁发者混淆
重放与时效性	缺少 `InResponseTo` 、 `NotBefore` / `NotOnOrAfter` 执行力度弱
账户映射	仅绑定邮箱、大小写折叠、未验证属性
XML解析器行为	SAML文档相关的类XXE解析器问题或不安全转换

3. QUICK TRIAGE

3. 快速排查

Capture one full login round trip.
Inspect which XML nodes are signed and which attributes drive account binding.
Compare SP-initiated and IdP-initiated flows.
Test replay, altered attributes, and assertion placement confusion.

捕获一次完整的登录往返流程。
检查哪些XML节点已签名，以及哪些属性驱动账户绑定。
对比SP发起和IdP发起的流程。
测试重放、属性篡改和断言放置混淆问题。

4. RELATED ROUTES

4. 相关路径

XML parser attack depth: xxe xml external entity
OAuth or OIDC SSO alternatives: oauth oidc misconfiguration
Auth boundary issues after SSO: authbypass authentication flaws

XML解析器攻击深度：xxe xml external entity
OAuth或OIDC SSO替代方案：oauth oidc misconfiguration
SSO后的认证边界问题：authbypass authentication flaws