SAML Security Test Cases



  1. Signature Exclusion Attack -Test whether or not the SP accepts an Assertion without a Signature 
  2. Signature Spoofing attack-Test whether SP accepts fake signature or using previously generated/invalid signature
  3. Signature Wrapping Attack (8 Different Ways)-Test whether or not the SP is susceptible to Signature Wrapping
  4. XML Injection-Test if can inject malicious code into the SAML response from IDP, allowing them to execute arbitrary code on the SP server.
  5. XML Entity Expansion (XEE)/XXE-Test whether or not the SP is vulnerable to XML External Entities
  6. Replay attacks-Test if previously generated SAML response from IDP can be accepted by SP
  7. Certificate Faking/Self signed certificate-Test whether or not the SP verifies that the Assertion came from a trusted IDP/Test if SP accepts self-signed certificate
  8. XSLT Injection-Test whether or not the SP is vulnerable to XSLT
  9. Predictable signature-Test whether IDP generating guessable signature
  10. SAML message expiration-Test whether SP accepts time expired SAML response from IDP
  11. Unencrypted communication channel-Test if the secure communication protocol used by IDP and SP or not
  12. Session Creation-Testing how IDP and SP creates session, ex. Checking if same session id is getting generated during every login.
  13. Permissive session id creation-Testing if the application initially accepting any pre authentication session ID(SAML token) value set by the user as valid, creates a new session for it
  14. Session cookie security-Checking if all secure cookie attributes (path, secure, http-only and domain ) are set 
  15. Session Fixation-Testing if pre and post authenticated session IDs (IDP and SP) are same
  16. Session Timeout-Testing if application has session timeout implemented for users after inactivity/idle time of 15 or 30 mins
  17. Session Logout-Testing if SP and IDP are invalidating sessions ids after log out. And not being reused
  18. Session Hijacking/Easily guessable Session IDs-Testing if session can be hijacked via brute forcing/Testing randomness of the session identifier( check for both IDP and SP)
  19. Assertion/Session invalidation after logout at SP and IDP level-Test if application creates session Id using previously created assertion Id/Session ID
  20. CSRF-Testing if application is vulnerable to CSRF attack leading to session hijacking
  21. Concurrent session IDs-Testing if multiple sessions are allowed for single user
  22. Insecure usage of persistent cookies-Testing if persistent cookies are used and how they are managed, ex checking cookie expiry time etc.
  23. Sensitive details in cookie-Checking if the cookie contains sensitive details such as USERID
  24. Force Session Logout On Web Browser Window Close Events-Invalidating the session after closing browser 
  25. Invalidating the session after closing tab of the browser where application is running-Check if the application is Invalidating the session after closing tab of the browser where application is running.
  26. Force full Browsing/Direct URL Access-Testing if any post authenticated URLs accessible without session ids
  27. Session ID being Sent in URL of the request-Testing if the application session id is being sent in URL of the request leading to session hijacking
  28. Storing session id in browser's local storage and clearing after log out-Check if the application is storing session Id at browser's local storage even after authentication
  29. Manual Session expiration/Logout button-Testing if log out button is present for all the post authentication pages


Comments

Post a Comment

Popular posts from this blog

File Upload Security Testing Checklists

  Security Checklist Are filenames reflected back on the page? If so, are they HTML Entity encoded (XSS via file names)? Does it accept .zip files? Try a  ZipSlip If it processes an image, check for  Image Tragick (CVE-2016-3714) Can you bypass file type restrictions by changing the content-type value? Can you bypass file type restrictions by  forging valid magic bytes ? Can you upload a file with a less-common extension (such as .phtml)? Try playing with the filename in the request, a potential vector for traversal or SQL injection. Check for the acceptance of double extensions on uploaded files. Test for  null-byte injection . Is the server windows? Try adding a  trailing  .  to bypass extension blacklists , this dot will be removed automatically by the OS. Can you upload an  SVG for XSS ? If supported by the webserver, can you  upload .htaccess files ? Does the backend process the image with the  PHP GD library ? Is the app vulnerable to the  infamous ffmpeg exploit ? Can custom pol
Read more

Drozer - A Framework for Android Application Security Assessment.

Image
1.             Introduction 1.1   This document explains how to get started with Drozer, and how to use it to perform a security assessment of an android application. 1.1.      Drozer Drozer is a python based comprehensive security audit and attack framework for Android. It is an open-source framework, used for android pen-testing. It works like a client-server model and makes use of Android’s Inter-Process Communication (IPC) mechanism to interact with the underlying operating system of the device. IPC is a mechanism by which different components of android like intents and data binders communicate with each other so that the communication is established between the apps present in the android device. Drozer helps to remotely exploit android devices with predefined and custom modules that exploit known vulnerabilities. 1.2.      Conventions used Throughout this document, command-line examples will use one of two prefixes: dz> indicates that the command shou
Read more