Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
SAML Consumer Service External Dereference SSRF - Vulnerability Database

SAML Consumer Service External Dereference SSRF

Description

The application's SAML Consumer Service improperly processes SAML assertions containing external references in KeyInfo elements, such as RetrievalMethod. This allows unauthenticated attackers to craft malicious SAML responses that force the server to retrieve content from attacker-specified URLs or local file paths. The vulnerability enables Server-Side Request Forgery (SSRF) attacks by exploiting the XML signature validation process.

Remediation

Disable external entity resolution and URL dereferencing in the SAML XML parser configuration. Implement the following security controls:

1. Configure XML Parser Security Settings:
Disable external entity processing and URL dereferencing in your SAML library. For example, when using common SAML libraries:

// Java (using OpenSAML)
BasicParserPool parserPool = new BasicParserPool();
parserPool.setIgnoreComments(true);
Map<String, Boolean> features = new HashMap<>();
features.put("http://xml.org/sax/features/external-general-entities", false);
features.put("http://xml.org/sax/features/external-parameter-entities", false);
features.put("http://apache.org/xml/features/disallow-doctype-decl", true);
parserPool.setBuilderFeatures(features);

# Python (using python3-saml)
from onelogin.saml2.settings import OneLogin_Saml2_Settings

settings = OneLogin_Saml2_Settings(settings_dict)
# Ensure XML parser forbids external entities
settings.set_strict(True)
# Use defusedxml library for additional protection
import defusedxml.ElementTree as ET

2. Restrict RetrievalMethod Processing:
Configure your SAML implementation to reject or ignore RetrievalMethod elements in KeyInfo sections of SAML assertions.

3. Implement Allow-listing:
If external references are absolutely required, implement strict allow-listing of permitted URLs and protocols (e.g., only HTTPS to specific trusted domains).

4. Network Segmentation:
Apply network-level controls to prevent the application server from accessing internal resources or sensitive metadata endpoints (e.g., 169.254.169.254 for cloud metadata).

References

Ping'ing XMLSec
XML Signature Syntax and Processing Version 2.0
XML Signature Best Practices

Related Vulnerabilities

Reverse proxy misrouting through HTTP/2 pseudo-headers (SSRF) Medium
Common tags: OOB Vulnerabilities SSRF API SSRF
HTTP/2 pseudo-header server side request forgery High
Common tags: OOB Vulnerabilities SSRF API SSRF
SAML Consumer Service XSLT injection High
Common tags: OOB Vulnerabilities SSRF API SSRF
Unvalidated JWT jku parameter High
Common tags: OOB Vulnerabilities SSRF API SSRF
Auxiliary systems SSRF High
Common tags: OOB Vulnerabilities SSRF API SSRF

Severity

Medium

Classification

CWE-918
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

OOB Vulnerabilities
SSRF
API SSRF