Vulnerable Service Provider

Start the standard SAML authentication flow with the Identity Provider.

Challenge yourself with various Service Provider bypass techniques and vulnerabilities.

🟢 Easy: Replay Attacks

These verifiers have missing or incomplete ID verification, making them vulnerable to replay attacks.

💡 CTF Hint: Login as "attacker" on the IdP, then reuse the same SAML response multiple times to trigger the replay detection.

🎯 Replay 1: No ID checks 🎯 Replay 2: Response ID only

🔒 Replay 3: + InResponseTo 🛡️ Replay 4: + Assertion ID (Secure)

🟡 Medium: Token Recipient Confusion (TRC)

These verifiers lack proper destination validation, allowing tokens to be replayed across different services.

� TRC Attack Scenario:

Scenario: You have successfully registered a malicious SP at the honest IdP: 🎭👉 CLICK 👈🎭
Step 1: You will simulate a victim clicking on that link. Only in this TRC scenario, you are allowed to login as victim, e.g. because the victim wants to win a price. After the victim authenticated on the IdP, your malicious SP receives the SAMLResponse.
💡 Tip: Right-click the malicious SP link and open in new Private/Incognito tab
Step 2: Your goal is to copy and reuse this SAMLResponse and login as the victim on the honest SP below
Success: TRC attack succeeds when you authenticate as "victim" with that SAMLResponse

💡 CTF Hint: The malicious SP receives tokens intended for attacker.localhost - replay these tokens to the honest SP (sp.localhost) to bypass destination validation.

🎯 TRC 1: No destination check 🔒 TRC 2: Response destination

🛡️ Verifier 7: Subject confirmation (Secure)

🟡 Medium: Signature Bypasses

These verifiers have weaknesses in the signature verification.

💡 CTF Hint: Login as "attacker" on the IdP. Remove or modify the signature elements in the SAML response to access user "sigbypass1" or "sigbypass2" respectively.

🎯 SigBypass 1: Signature Exclusion 🔒 SigBypass 2: Signature Faking

💡 CTF Hint: In SigBypass 3, login as "attacker" on the IdP. Modify the message to access user "acker".

🎯 SigBypass 3: Node Splitting

🔴 Hard: XML Signature Wrapping (XSW)

These verifiers are vulnerable to XSW attacks where XML structure manipulation bypasses signature verification.

💡 CTF Hint: Login as "attacker" on the IdP. Apply XSW attack techniques to the SAML response. Goal: Get access to user "xsw1", "xsw2", "xsw3", or "xsw4" respectively.

🎯 XSW 1: XSW on Assertion 🎯 XSW 2: XSW on Response

🔒 XSW 3: XSW 🔒 XSW 4: XSW (Advanced)