Information Security & Occasional Forays Into Adjacent Realms
Oh, How Sweet It Is*... via the superlative Anitian Blog, and of course - writer Rick Osgood, comes this tremendous piece - titled 'Owning SAML, in which, the p0wning of SAML, and the fix thereof, is revealed. It's a great read, and highly receommended, enjoy.
(*Jackie Gleason, in The Honeymooners)
Kelby Ludwig - writing at Duo Lab's has just posted a fascinating blog entry detailing their recent discovery of SAML vulns potentially affecting a range of implementations and deployments. In this case, the vulnerability appears to be a zero knowledge scenario (of the attributes of the target's password). H/T
"This blog post describes a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. - via Duo Lab's Kelby Ludwig
Oops.