SAML XXE Scanner
Tests for XXE vulnerabilities in SAML assertion processing.
What is SAML XXE?
SAML XXE (XML External Entity) vulnerabilities occur when SAML processors parse malicious XML containing external entity declarations. Attackers inject XXE payloads into SAML requests or responses to read local files, perform SSRF attacks, or cause denial of service through entity expansion.
Why is This Important?
SAML's XML-based nature makes XXE a significant risk. Successful exploitation can expose sensitive files like /etc/passwd, AWS credentials, or private keys. It can also enable SSRF to access internal services, exfiltrate data, or pivot within the network—all through the authentication layer.
How It Works
1. Auth Flow Analysis
Maps authentication mechanisms including login, registration, password reset, and session management flows.
2. Security Testing
Tests for authentication bypasses, weak credentials, session flaws, and token vulnerabilities.
3. Access Verification
Validates findings by demonstrating unauthorized access or privilege escalation paths.
Key Capabilities
Comprehensive authentication security testing to protect user accounts and prevent unauthorized access.
- Complete authentication flow analysis
- Token and session security validation
- Password policy and brute-force testing
- Multi-factor authentication bypass detection
- OAuth, SAML, and JWT security assessment
Frequently Asked Questions
Where can XXE payloads be injected in SAML?
Injection points include: SAML requests from clients, SAML responses (if the SP can be tricked into parsing attacker-controlled responses), SAML metadata files, and any XML document processed during SAML flows. Both IdP and SP can be vulnerable.
What can attackers achieve with SAML XXE?
File disclosure: read sensitive files on the server. SSRF: access internal services and cloud metadata. DoS: billion laughs attack for memory exhaustion. Data exfiltration: send file contents to external servers. Port scanning: probe internal network through error-based XXE.
Why is SAML particularly susceptible to XXE?
SAML requires XML parsing by design. Many SAML libraries use XML parsers with dangerous defaults. SAML often processes external input (assertions from IdPs). The complexity of SAML means developers may not realize all parsing points. Legacy implementations use older, vulnerable parsers.
How do I prevent SAML XXE attacks?
Disable external entities and DTDs in your XML parser, use SAML libraries that handle this automatically, validate and sanitize all SAML XML before parsing, use modern SAML libraries with secure defaults, implement input length limits, and test with XXE payloads.