SAML comment parsing should be disabled JAVA-S1062

Parsing SAML comments should be disabled in applications using OpenSAML2.

SAML uses XML to exchange authentication response. Due to the way XML comments are parsed in various libraries, it is possible to alter the authentication response in such a way that allows an attacker to have unauthorized access to someone else's account. For this reason, applications relying on SAML should always configure the parser so that comments are always ignored.

Bad Practice

<div class="highlight markdown-rendered">
<pre><span></span><code><span class="n">BasicParserPool</span><span class="w"> </span><span class="n">basicPool</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">BasicParserPool</span><span class="p">();</span>
<span class="n">basicPool</span><span class="p">.</span><span class="na">setIgnoreComments</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span>
</code></pre>
</div>

Recommended

In OpenSAML 2.0, the default behavior in all ParserPool implementations is to ignore the comments. Just remove statements that explicitly enable comment parsing in the source.

References

• OWASP Top Ten (2021) - Category A06 - Vulnerable and Outdated Components
• OWASP Top Ten (2021) - Category A07 - Identification and Authentication Failures
• CWE-287 - Improper Authentication
• CWE-1390 - Weak Authentication
• Spring Blog (2018) - Spring Security SAML Vulnerability
• Duo - Duo Finds SAML Vulnerabilities Affecting Multiple Implementations
• CMU Vulnerability Database - Multiple SAML libraries may allow authentication bypass