Novel SAML Authentication Bypass Techniques Disclosed by PortSwigger Research
PortSwigger Research reveals new authentication bypass techniques in Ruby and PHP SAML implementations, exploiting parser inconsistencies to bypass XML signature validation.
PortSwigger Research has disclosed a set of novel authentication bypass techniques targeting SAML implementations in Ruby and PHP. The vulnerabilities, detailed in a new paper titled "The Fragile Lock," exploit parser-level inconsistencies including attribute pollution, namespace confusion, and a new class of Void Canonicalization attacks. These techniques allow attackers to completely bypass XML Signature validation while presenting a perfectly valid SAML document to the application.
The research, presented at Black Hat, demonstrates how attackers can achieve a full authentication bypass without needing a valid signed SAML assertion from an identity provider. Instead, they reuse any XML document signed with the IdP's private key, exploiting flaws in the server's signature-verification logic. The paper includes a demo of the attack on a vulnerable GitLab EE 17.8.4 instance.
At the core of the issue is the reliance on multiple XML parsers—REXML and Nokogiri in Ruby, and similar splits in PHP—for different parts of the validation process. This architectural flaw allows XML Signature Wrapping (XSW) attacks, where an attacker injects a malicious assertion into a legitimate SAML response. The signature verification module validates the legitimate portion, while the SAML processing logic consumes the attacker's injected assertion, leading to privilege escalation.
The paper uses the Ruby-SAML library as a case study, showing that security patches (versions 1.12.4 and 1.18.0) that added DTD and well-formedness checks were insufficient. The underlying architecture remains fragile, and the researchers introduce new attack vectors that bypass these fixes. The Void Canonicalization technique, for example, exploits discrepancies in how parsers handle canonicalization, allowing attackers to craft documents that appear valid to one parser but malicious to another.
PortSwigger has released an open-source toolkit designed to identify and analyze discrepancies between XML parsers, enabling the discovery of authentication bypasses with minimal requirements. The researchers emphasize that secure authentication cannot happen by accident and that keeping protocols like SAML safe requires coordinated, ongoing effort from the entire security community.
The findings highlight the persistent challenges in securing legacy authentication standards built on outdated XML technology. As SAML remains widely used across enterprises and cloud services, these vulnerabilities pose a significant risk. The paper provides detailed exploitation methods and defenses, urging developers to adopt more robust validation practices and consider moving to modern authentication protocols.