This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "GSoC2013 Ideas/OWASP ZAP SAML Support"

From OWASP
Jump to: navigation, search
(updated week 2's progress)
(updated the weekly progress)
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
 +
'''Student''' : Pulasthi Mahawithana <br>
 +
'''Mentors''' : Prasad Shenoy, Kevin Wall <br>
  
 
== Introduction ==
 
== Introduction ==
Line 9: Line 12:
  
  
== Project Goals, Scope and Deliverables ==
+
== Project Goals, Scope and Deliverables, Implementation Plan ==
 +
 
 +
Please refer the [http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/pulasthi7/19001 GSoC proposal] for the project idea.
 +
 
 +
 
 +
== Project Code, Documentation ==
 +
 
 +
Development will be done in an [https://github.com/pulasthi7/zap-saml-extension external code repository] hosted at GitHub.
 +
 
 +
=== Pre-Releases ===
 +
 
 +
* [https://github.com/pulasthi7/zap-saml-extension/releases/tag/0.1a 0.1-alpha] Jul 29, 2013
 +
* [https://github.com/pulasthi7/zap-saml-extension/releases/tag/0.2a 0.2-alpha] Aug 12, 2013
 +
* [https://github.com/pulasthi7/zap-saml-extension/releases/tag/v1.0-alpha 1.0-alpha] Sep 20, 2013
 +
 
 +
 
 +
== Project Progress ==
 +
=== Community bonding period (before 17th June) ===
 +
 
 +
Agreed to have video conference twice a week on Monday and Thursday to discuss the project progress and any issues that may occur.
 +
 
 +
* Clarification of project idea
 +
* Read the SAML specs to get familiar with SAML standards and usages
 +
* Identifying the use cases that need to be implemented
 +
* Setting up the development environment.
 +
 
 +
 
 +
=== Week 1 (17th June - 23rd June) ===
 +
 
 +
 
 +
==== Week's progress ====
 +
* Finalizing the use cases
 +
* Setting up the Third party applications to generate SAML requests/responses
 +
* Intercepting the SAML requests/responses from ZAP and get familiar with the parameters
 +
* Studying on  ZAP core and extensions to start the coding
 +
 
 +
 
 +
==== Plans for next week ====
 +
* Intercept the requests and responses and log them to console/file
 +
 
 +
 
 +
=== Week 2 (24th June - 30th June) ===
 +
 
 +
 
 +
==== Week's progress ====
 +
* Created a project at GitHub for the development of the extension at https://github.com/pulasthi7/zap-saml-extension
 +
* Created a passive scanner to intercept and log SAML requests/responses in their raw values
 +
* Wrote a component that can decode the SAMLRequest/ SAMLResponse parameters in a HTTP request
 +
* Updated the passive scanner to log the decoded SAML messages to the console
 +
* Studied on the ZAP's extension API
 +
 
 +
==== Plans for next week ====
 +
* Design the UI for the extension
 +
* Provide ability to view SAML messages in a GUI in readable XML format
 +
 
 +
 
 +
=== Week 3 (1st July - 7th July) ===
 +
 
 +
 
 +
==== Week's progress ====
 +
* Created an UI for resending Requests
 +
* Added a hook to show the Extension Resender UI
 +
* Added the ability to show the parameters and decoded SAML request in the resender UI
  
As listed in the OWASP GSoC 2013 ideas page and as per discussion with the possible mentor, following is the goal for this project.
+
==== Plans for next week ====
 +
* Implement Resend ability to the resender
 +
* Parse and show the SAML parameters one by one and provide the ability to change parameters independently (Easier way than changing the whole message)
  
Develop a component that enable ZAP to
 
* Understand SAML messages
 
* Detect SAML Assertions in HTTP requests and responses
 
* Decode SAML Assertions
 
* Fuzz various entities and attributes within a SAML assertion
 
* Re-encode the assertion and send it forward to the final destination
 
  
=== Scope and Constraints ===
+
=== Week 4 (8th July - 14th July) ===
  
The component will be developed only for HTTP POST and HTTP Redirect binding
 
 
  
=== Deliverables ===
+
==== Week's progress ====
 +
* Worked on implementing the resender
 +
* Designed mock UI for the active mode request editor
  
The following deliverables are expected as the outcome of the project.
+
==== Plans for next week ====
 +
* Finish the passive request resender
 +
* Start the implementation of active request editor/resender.
  
* A component integrated to ZAP that can achieve the goal described above.
 
* The source code for the component, committed to the ZAP project's code base
 
* The relevant documentation for the users and the developers who will be using this component
 
  
 +
=== Week 5 (15th July - 21st July) ===
  
== Implementation Plan ==
 
  
The requirements of this project are to identify a SAML request/Response, Decode the request/response and get the assertions, give the user the ability to fuzz the requests and re-encode the requests as SAML requests and sent to the desired endpoint. Here is a high level diagram to demonstrate the sequence.
+
==== Week's progress ====
 +
* Study on OpenSAML libraries
 +
* Added the ability to view attribute name and value pairs for some frequently occurring attributes of SAML Auth requests
 +
* Faced with a issue on packaging external libraries
  
[[File:flow.png]]
+
==== Plans for next week ====
 +
* Solve the issue with packaging the libraries
 +
* Implement sending functionality for changed request
 +
* Provide the ability to dynamically update attribute values and SAML message when either one changes
 +
* Implement the ability to parse different SAML message types
 +
 
 +
 
 +
=== Week 6 (22nd July - 28th July) ===
 +
 
 +
 
 +
==== Week's progress ====
 +
* Got the issue with packaging the libraries fixed.
 +
* Reset the development environment which was reverted to solve the packaging issue
 +
* Added sending functionality for changed SAML message and retrieve the response
 +
* Added the ability to update the SAML message/ Attributes dynamically on change of either.
 +
* Added the ability to parse, view and edit SAML Response type messages
 +
* Added a pre-release version (0.1-alpha) with the current progress. Source and binary are available at [https://github.com/pulasthi7/zap-saml-extension/releases/tag/0.1a temporary GitHub repository]
 +
 
 +
==== Plans for next week ====
 +
* Implement automatic attribute changing and resending
 +
* Implement UI to set the automatic attribute changer settings
  
=== Identifying SAML Request Response ===
 
  
This will be done as specified in the SAML 2.0 specification on SAML Binding. In the scope of the project this will be done as follows
+
=== Week 7 (29nd July - 04th August) ===
  
* HTTP Redirect: SAML messages are deflated, base64 encoded and URL-encoded as the value of the parameter “SAMLRequest” or “SAMLResponse” based on whether it is a request or a response.
 
* HTTP POST: SAML messages are base64 encoded and submitted as the value of post parameter “SAMLRequest” or “SAMLResponse” based on whether it is a request or a response.
 
  
The identification will be done based on the above. If any request/ response has the above parameters set, they will be identified as a SAML request/response.
+
==== Week's progress ====
 +
* Implemented the UIs for automatic attribute changer settings
  
=== Detecting SAML Assertions ===
+
==== Plans for next week ====
 +
* Implement automatic attribute changing and resending
 +
* Implement passive SAML request scanner to edit the requests
 +
* Add the ability to save/load the configurations
  
The SAML messages identified will be decoded and parsed to get the SAML assertions.
 
  
+
=== Week 8 (05th August - 11th August) ===
  
=== Modifying SAML Assertions ===
 
  
'''Automatically replacing values for SAML assertion attributes with user supplied values'''
+
==== Week's progress ====
 +
* Implemented predefined automatic attribute changing and sending to endpoint
 +
* Implemented the passive scanner to intercept the SAML messages to edit them
 +
* Added ability to save/load configurations to the files for later user
  
After the identification and decoding of the SAML assertions, the values for certain attributes such as but not limited to Subject, Conditions etc. will be replaced by the values pre-defined by the user. This will guarantee a near real-time attacks like privilege escalation by changing the identifier of the subject, extending or re-use of an old assertion by changing the Conditions on the assertion etc.
+
==== Plans for next week ====
 +
* Bug fixes for the passive scanner component
 +
* Prepare presentation for AppSec EU
  
 
  
'''Fuzzing the entities and Attributes of SAML message'''
 
  
After the identification and decoding of the SAML assertions the users will be given the ability to fuzz the entities and attributes of the SAML message. They may use the existing fuzzers or new fuzzers specific to SAML that may be implemented as necessary.
+
=== Week 9 (12th August - 18th August) ===
 
  
'''XSW Signature Exclusion Attack'''
 
  
After the identification and decoding of the SAML assertions, the signature element of the assertion will be removed from the assertion, re-encoded and sent forward to simulate XSW Signature Exclusion Attack
+
==== Week's progress ====
 +
* Prepared presentation for AppSec EU
 +
* Some bug fixing for passive scanner component
  
+
==== Plans for next week ====
 +
* Start working on the XSW attack implementation
 +
* Add support to change relay state parameter
  
'''Re-encoding assertions'''
 
  
The SAML message with fuzzed attributes will be prepared as follows,
 
  
* HTTP Redirect – The SAML message will be rebuilt. Then it will be deflated and base64 encoded and will be added as a URL-encoded parameter value
+
=== Week 10 (19th August - 25th August) ===
* HTTP Post – The SAML message will be rebuilt. Then the message will be base64 encoded and added as a POST parameter value
 
  
  
== Project Progress ==
+
==== Week's progress ====
=== Community bonding period (before 17th June) ===
+
* Research on XSW attacks
 +
* Testing the SPs against signature exclutions
  
Agreed to have video conference twice a week on Monday and Thursday to discuss the project progress and any issues that may occur.
+
==== Plans for next week ====
 +
* Implement and integrate XSW attack ability to extension
 +
* Add support to change relay state parameter
 +
* Start on testing the extension
  
* Clarification of project idea
 
* Read the SAML specs to get familiar with SAML standards and usages
 
* Identifying the use cases that need to be implemented
 
* Setting up the development environment.
 
  
  
=== Week 1 (17th June - 23rd June) ===
+
=== Week 11 (26th August - 01st September) ===
  
  
 
==== Week's progress ====
 
==== Week's progress ====
* Finalizing the use cases
+
* Changed the extension to use JAXP and XPath to change the attribute values (Removing OpenSAML dependency)
* Setting up the Third party applications to generate SAML requests/responses
+
* Combined the extension configurations to save to/ load from a single xml file.
* Intercepting the SAML requests/responses from ZAP and get familiar with the parameters
+
* Introduced type validation to attributes when changing their values. (i.e. String, Integer, TimeStamp...)
* Studying on  ZAP core and extensions to start the coding
+
* Started on unit and integration testing
 +
 
 +
==== Plans for next week ====
 +
* Write unit tests and integration tests
 +
* Update XSW attack ability to new architecture
 +
* Add support to change relay state parameter
 +
 
 +
 
 +
 
 +
=== Week 12 (02nd September - 08th September) ===
  
 +
 +
==== Week's progress ====
 +
* Started on writing tests for extension
 +
* Added XSW attack ablility
  
 
==== Plans for next week ====
 
==== Plans for next week ====
* Intercept the requests and responses and log them to console/file
+
* Improve test coverage
 +
* Add support to change relay state
 +
* Allow to set various configuration related to the extension
 +
* Code clean up
 +
 
 +
 
  
  
=== Week 2 (24th June - 30th June) ===
+
=== Week 13 (09th September - 15th September) ===
  
  
 
==== Week's progress ====
 
==== Week's progress ====
* Created a project at GitHub for the development of the extension at https://github.com/pulasthi7/zap-saml-extension
+
* Added more unit/integrations tests
* Created a passive scanner to intercept and log SAML requests/responses in their raw values
+
* Added support to change relay state
* Wrote a component that can decode the SAMLRequest/ SAMLResponse parameters in a HTTP request
+
* Added the ability to change various configurations
* Updated the passive scanner to log the decoded SAML messages to the console
+
* Some Bug fixes/ UI fixes and clean up
* Studied on the ZAP's extension API
 
  
 
==== Plans for next week ====
 
==== Plans for next week ====
* Design the UI for the extension
+
* Clean up the code
* Provide ability to view SAML messages in a GUI in readable XML format
+
* Compose the documentation

Latest revision as of 19:39, 20 September 2013

Student : Pulasthi Mahawithana
Mentors : Prasad Shenoy, Kevin Wall

Introduction

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is open-source under Apache License 2.0 and widely used by the computer security community.

SAML is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority (an identity provider), and a SAML consumer (a service provider). It enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO).

The Objective of this project is to develop a component for ZAP that will detect and fuzz various elements and attributes of a SAML Assertion.


Project Goals, Scope and Deliverables, Implementation Plan

Please refer the GSoC proposal for the project idea.


Project Code, Documentation

Development will be done in an external code repository hosted at GitHub.

Pre-Releases


Project Progress

Community bonding period (before 17th June)

Agreed to have video conference twice a week on Monday and Thursday to discuss the project progress and any issues that may occur.

  • Clarification of project idea
  • Read the SAML specs to get familiar with SAML standards and usages
  • Identifying the use cases that need to be implemented
  • Setting up the development environment.


Week 1 (17th June - 23rd June)

Week's progress

  • Finalizing the use cases
  • Setting up the Third party applications to generate SAML requests/responses
  • Intercepting the SAML requests/responses from ZAP and get familiar with the parameters
  • Studying on ZAP core and extensions to start the coding


Plans for next week

  • Intercept the requests and responses and log them to console/file


Week 2 (24th June - 30th June)

Week's progress

  • Created a project at GitHub for the development of the extension at https://github.com/pulasthi7/zap-saml-extension
  • Created a passive scanner to intercept and log SAML requests/responses in their raw values
  • Wrote a component that can decode the SAMLRequest/ SAMLResponse parameters in a HTTP request
  • Updated the passive scanner to log the decoded SAML messages to the console
  • Studied on the ZAP's extension API

Plans for next week

  • Design the UI for the extension
  • Provide ability to view SAML messages in a GUI in readable XML format


Week 3 (1st July - 7th July)

Week's progress

  • Created an UI for resending Requests
  • Added a hook to show the Extension Resender UI
  • Added the ability to show the parameters and decoded SAML request in the resender UI

Plans for next week

  • Implement Resend ability to the resender
  • Parse and show the SAML parameters one by one and provide the ability to change parameters independently (Easier way than changing the whole message)


Week 4 (8th July - 14th July)

Week's progress

  • Worked on implementing the resender
  • Designed mock UI for the active mode request editor

Plans for next week

  • Finish the passive request resender
  • Start the implementation of active request editor/resender.


Week 5 (15th July - 21st July)

Week's progress

  • Study on OpenSAML libraries
  • Added the ability to view attribute name and value pairs for some frequently occurring attributes of SAML Auth requests
  • Faced with a issue on packaging external libraries

Plans for next week

  • Solve the issue with packaging the libraries
  • Implement sending functionality for changed request
  • Provide the ability to dynamically update attribute values and SAML message when either one changes
  • Implement the ability to parse different SAML message types


Week 6 (22nd July - 28th July)

Week's progress

  • Got the issue with packaging the libraries fixed.
  • Reset the development environment which was reverted to solve the packaging issue
  • Added sending functionality for changed SAML message and retrieve the response
  • Added the ability to update the SAML message/ Attributes dynamically on change of either.
  • Added the ability to parse, view and edit SAML Response type messages
  • Added a pre-release version (0.1-alpha) with the current progress. Source and binary are available at temporary GitHub repository

Plans for next week

  • Implement automatic attribute changing and resending
  • Implement UI to set the automatic attribute changer settings


Week 7 (29nd July - 04th August)

Week's progress

  • Implemented the UIs for automatic attribute changer settings

Plans for next week

  • Implement automatic attribute changing and resending
  • Implement passive SAML request scanner to edit the requests
  • Add the ability to save/load the configurations


Week 8 (05th August - 11th August)

Week's progress

  • Implemented predefined automatic attribute changing and sending to endpoint
  • Implemented the passive scanner to intercept the SAML messages to edit them
  • Added ability to save/load configurations to the files for later user

Plans for next week

  • Bug fixes for the passive scanner component
  • Prepare presentation for AppSec EU


Week 9 (12th August - 18th August)

Week's progress

  • Prepared presentation for AppSec EU
  • Some bug fixing for passive scanner component

Plans for next week

  • Start working on the XSW attack implementation
  • Add support to change relay state parameter


Week 10 (19th August - 25th August)

Week's progress

  • Research on XSW attacks
  • Testing the SPs against signature exclutions

Plans for next week

  • Implement and integrate XSW attack ability to extension
  • Add support to change relay state parameter
  • Start on testing the extension


Week 11 (26th August - 01st September)

Week's progress

  • Changed the extension to use JAXP and XPath to change the attribute values (Removing OpenSAML dependency)
  • Combined the extension configurations to save to/ load from a single xml file.
  • Introduced type validation to attributes when changing their values. (i.e. String, Integer, TimeStamp...)
  • Started on unit and integration testing

Plans for next week

  • Write unit tests and integration tests
  • Update XSW attack ability to new architecture
  • Add support to change relay state parameter


Week 12 (02nd September - 08th September)

Week's progress

  • Started on writing tests for extension
  • Added XSW attack ablility

Plans for next week

  • Improve test coverage
  • Add support to change relay state
  • Allow to set various configuration related to the extension
  • Code clean up



Week 13 (09th September - 15th September)

Week's progress

  • Added more unit/integrations tests
  • Added support to change relay state
  • Added the ability to change various configurations
  • Some Bug fixes/ UI fixes and clean up

Plans for next week

  • Clean up the code
  • Compose the documentation
Retrieved from "https://wiki.owasp.org/index.php?title=GSoC2013_Ideas/OWASP_ZAP_SAML_Support&oldid=158752"