1

I want to analyze the SSO protocol/traffic that is deployed in real environment, such as commercial website. The challenge is that most of them are black-box.

Scenario 1. I read several papers about SSO analysis. Most of them developed own SSO traffic analyzer, which can turn SSO-related HTTP traffic into human readable format. But they normally do not explain technical details and publish their tools.

Scenario 2. Another method someone advised me here is to analyze through web browser debugger. But the challenge is that: 1. the HTTP traffic shown in debugger is not human readable; 2. too many HTTP traffic to focus SSO related only.

Scenario 3. I tried several browser add-on, such as SAML Tracer (chrome) and SSO Tracer (firefox). It was useful to trace SSO traffic in demo website only, but failed in commercial websites, such as Google/Facebook/Yahoo-login enabled websites (SSO service providers for openid/saml IDP).

My questions are:

  1. What is the reason for scenario 3?

  2. Please suggest practical methodology to analyze SSO traffic.

TJCLK
  • 818
  • 8
  • 23

1 Answers1

1

Here is the presentation on SSO theory -- [PDF] https://www.compass-security.com/fileadmin/Datein/Research/Praesentationen/area41_2016_saml.pdf [PDF] -- that introduced the SAMLRaider BApp for Burp Suite -- http://www.toolswatch.org/2015/12/new-tool-saml-raider-v1-1-1-saml2-burp-extension/

Another great BApp for Burp Suite, SAMLReQuest, is detailed here -- https://www.insinuator.net/2016/06/samlrequest-burpsuite-extention/

This author went into detail for an XXE security bug found in a SAML app -- https://seanmelia.wordpress.com/2016/01/09/xxe-via-saml/ -- but I really enjoyed this post from the SendSafely and Gotham Digital Science teams -- https://blog.sendsafely.com/web-based-single-sign-on-and-the-dangers-of-saml-xml-parsing

atdre
  • 18,885
  • 6
  • 58
  • 107