| 引用本文: |
-
唐路易,邹燕燕,赵佳旭,钟楠宇,彭炳炜,霍玮.SAMLFuzz:一种面向XML签名包装漏洞的SAML协议模糊测试方法[J].信息安全学报,已采用 [点击复制]
- tangluyi,zouyanyan,zhaojiaxu,zhongnanyu,pengbingwei,huowei.SAMLFuzz: A Fuzzing Approach for Detecting XML Sig-nature Wrapping Vulnerabilities in SAML[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 单点登录(Single Sign-On,SSO)技术通过一次身份认证实现对多个受信任系统的访问控制,是现代身份与访问管理体系中的关键技术。安全断言标记语言(Security Assertion Markup Language,SAML)作为一种基于XML的开放标准,被广泛用于单点登录场景中的身份认证与授权信息交互。然而,由于SAML协议结构复杂,其实现过程中的签名验证与断言处理阶段可能存在语义不一致,从而易受到XML签名包装(XML Signature Wrapping,XSW)漏洞攻击,导致身份伪造或权限提升等严重安全风险。针对SAML协议现有模糊测试方法难以在保持签名有效性前提下构造高质量测试用例等问题,本文提出一种面向XML签名包装漏洞的SAML协议模糊测试方法,并设计和实现了模糊测试工具SAMLFuzz。该方法从OASIS官方发布的SAML协议XSD规范文件中提取协议结构与内容约束信息,构建协议规范约束树,以指导和约束变异过程,同时结合动态签名域分析,在保持数字签名的合法性的前提下生成多样化的XML签名包装漏洞测试用例,从而提升测试用例的有效性以及漏洞发现能力。在Keycloak、Node-SAML等主流SAML实现上的实验表明,SAMLFuzz在XML签名包装漏洞发现能力与测试用例质量上均显著优于现有模糊测试工具SAML Raider与WS-Attacker。具体而言,SAMLFuzz生成的测试用例前置校验通过率均超过90%,较SAML Raider与WS-Attacker平均提升62.28%与52.09%;签名验证通过率达到100%,平均提升幅度分别为39.29%与59.66%。此外,SAMLFuzz发现了3个已知漏洞,并在Keycloak中成功识别出一项新的安全缺陷,进一步验证了该方法在SAML协议安全漏洞检测中的有效性与实用价值。 |
| 关键词: 单点登录 SAML协议 模糊测试 XML签名包装漏洞 |
| DOI: |
| 投稿时间:2026-02-06修订日期:2026-03-23 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| SAMLFuzz: A Fuzzing Approach for Detecting XML Sig-nature Wrapping Vulnerabilities in SAML |
|
tangluyi, zouyanyan, zhaojiaxu, zhongnanyu, pengbingwei, huowei
|
| (Institute of Information Engineering, Chinese Academy of Sciences) |
| Abstract: |
| Single Sign-On (SSO) enables users to access multiple trusted systems through a single authentication process and has become a core technology in modern identity and access management. Security Assertion Markup Language (SAML), as an XML-based open standard, is widely adopted for identity authentication and authorization information exchange in SSO scenarios. However, due to the complexity of the SAML protocol and its layered processing logic, semantic incon-sistencies may arise between signature verification and assertion processing during implementation. Such inconsisten-cies make SAML systems vulnerable to XML Signature Wrapping (XSW) attacks, which may ultimately lead to serious security consequences, including identity forgery, authentication bypass, and privilege escalation. To address the limita-tions of existing SAML fuzzing approaches in constructing high-quality test cases while preserving signature validity, this paper proposes a SAML fuzzing method for detecting XSW vulnerabilities and designs and implements a fuzzing tool named SAMLFuzz. The proposed method extracts protocol structure and content constraints from the OASIS-published SAML XSD specification files and constructs a protocol specification constraint tree to guide and con-strain the mutation process. Meanwhile, by incorporating dynamic signature-scope analysis, it generates diverse XSW test cases while preserving the validity of digital signatures, thereby improving test-case effectiveness and vulnerability discovery capability. Experiments on mainstream SAML implementations, including Keycloak and Node-SAML, demonstrate that SAMLFuzz significantly outperforms existing fuzzing tools, namely SAML Raider and WS-Attacker, in both XSW vulnerability detection capability and test-case quality. Specifically, the generated test cases achieve a pre-validation pass rate of over 90%, representing average improvements of 62.28% and 52.09% over SAML Raider and WS-Attacker, respectively; the signature verification pass rate reaches 100%, with average improvements of 39.29% and 59.66%, respectively. In addition, SAMLFuzz successfully discovers three known vulnerabilities and identifies a new security flaw in Keycloak, further demonstrating the effectiveness and practical value of the proposed method for secu-rity testing of SAML implementations. |
| Key words: Single Sign-On SAML fuzzing XML signature wrapping (XSW) |
