← Back to All Scanners
AuthenticationCritical Severity

SAML Signature Bypass Scanner

Identifies SAML signature validation vulnerabilities.

Try This Scanner

What is SAML Signature Bypass?

SAML Signature Bypass vulnerabilities allow attackers to forge SAML assertions without valid signatures. This can occur through XML signature wrapping attacks, comment injection, incomplete signature coverage, or implementations that check signatures but don't verify the signed content matches what's processed.

Why is This Important?

SAML is widely used for enterprise Single Sign-On. Signature bypass means attackers can forge assertions claiming to be any user, typically gaining admin access to critical business applications. These vulnerabilities have affected major SAML libraries and led to widespread enterprise breaches.

How It Works

1. Auth Flow Analysis

Maps authentication mechanisms including login, registration, password reset, and session management flows.

2. Security Testing

Tests for authentication bypasses, weak credentials, session flaws, and token vulnerabilities.

3. Access Verification

Validates findings by demonstrating unauthorized access or privilege escalation paths.

Key Capabilities

Comprehensive authentication security testing to protect user accounts and prevent unauthorized access.

  • Complete authentication flow analysis
  • Token and session security validation
  • Password policy and brute-force testing
  • Multi-factor authentication bypass detection
  • OAuth, SAML, and JWT security assessment

Frequently Asked Questions

What is XML Signature Wrapping (XSW)?

XSW attacks exploit how XML signatures reference elements by ID. Attackers duplicate the signed element, modify the copy (e.g., change the username), and manipulate references so the signature validates against the original while the application processes the modified copy.

How do comment injection attacks work?

Some XML parsers handle comments differently for signature validation vs. content extraction. Inserting a comment like 'admin<!--' -->@attacker.com might validate as 'admin' but be processed as '[email protected]', bypassing identity checks.

What are common SAML implementation mistakes?

Mistakes include: not verifying signatures at all, checking signature presence but not validity, not verifying the right element is signed, accepting signatures from any certificate, not validating certificate chain, and ignoring signature validation errors.

How do I secure SAML signature validation?

Use well-maintained SAML libraries, validate that the correct assertion is signed (not just any element), verify certificate chains and trust, reject assertions with XML comments in critical fields, implement strict XML parsing, test with known XSW payloads, and log validation failures.

Related Scanners

JWT None AlgorithmCritical
Learn more →
JWT Algorithm ConfusionCritical
Learn more →
JWT Weak SecretHigh
Learn more →
JWT Key InjectionCritical
Learn more →

Ready to secure your application?

Start testing for saml signature bypass vulnerabilities today.

Get Started Free