CyberSecTech

Signature Exclusion Attack -Test whether or not the SP accepts an Assertion without a Signature  Signature Spoofing attack -Test whether SP accepts fake signature or using previously generated/invalid signature Signature Wrapping Attack (8 Different Ways)-Test whether or not the SP is susceptible to Signature Wrapping XML Injection -Test if can inject malicious code into the SAML response from IDP, allowing them to execute arbitrary code on the SP server. XML Entity Expansion (XEE)/XXE -Test whether or not the SP is vulnerable to XML External Entities Replay attacks -Test if previously generated SAML response from IDP can be accepted by SP Certificate Faking/Self signed certificate -Test whether or not the SP verifies that the Assertion came from a trusted IDP/Test if SP accepts self-signed certificate XSLT Injection -Test whether or not the SP is vulnerable to XSLT Predictable signature -Test whether IDP generating guessable signature SAML message expiration -Test whether SP accepts

  Security Checklist Are filenames reflected back on the page? If so, are they HTML Entity encoded (XSS via file names)? Does it accept .zip files? Try a  ZipSlip If it processes an image, check for  Image Tragick (CVE-2016-3714) Can you bypass file type restrictions by changing the content-type value? Can you bypass file type restrictions by  forging valid magic bytes ? Can you upload a file with a less-common extension (such as .phtml)? Try playing with the filename in the request, a potential vector for traversal or SQL injection. Check for the acceptance of double extensions on uploaded files. Test for  null-byte injection . Is the server windows? Try adding a  trailing  .  to bypass extension blacklists , this dot will be removed automatically by the OS. Can you upload an  SVG for XSS ? If supported by the webserver, can you  upload .htaccess files ? Does the backend process the image with the  PHP GD library ? Is the app vulnerable to the  infamous ffmpeg exploit ? Can custom pol