Skip to content
Snippets Groups Projects
Pavel Břoušek's avatar
Pavel Břoušek authored
authorization

See merge request !2
ef71c251
History
Name Last commit Last update
nuclei-templates
README.md

sp_nuclei_test

nuclei templates for testing SAML service providers.

Requirements

nuclei

You can run nuclei in multiple ways. The most common ones are directly on your machine (using go) or inside a docker container.

go

Install newest version of Go. The version included in your Linux distribution might not be current enough.

Then install nuclei.

You will run nuclei simply by calling nuclei (see below).

docker

Install docker and make sure that you can call docker in your terminal.

You will run nuclei by executing:

docker run --rm -v ./:/app/ projectdiscovery/nuclei # ...

conformance IdP

You need to setup a conformance IdP, with a module developed for SAML signature validation testing.

Then you need to connect SPs to the conformance IdP (exchange metadata), so that regular SAML authentication works.

Usage

Run against one target:

nuclei -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
    -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30

or using docker:

docker run --rm -v ./:/app/ projectdiscovery/nuclei -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
    -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30

where

  • ACS_URL_HERE is the assertion consumer service endpoint URL
  • ENTITY_ID_HERE is the entity ID of the SP
  • AUTHORIZATION_HERE is the authorization header, e.g. Bearer abcd...789

It is expected that the SP will return HTTP code 200/302/303 on success and a different HTTP code on failure (e.g. when SAML response is not signed).

Limitations

  • templates are only usable with the conformace IdP
    • testing cannot be run in parallel for the same entity ID
  • only HTTP-POST binding is currently supported
  • nuclei has to be invoked individually for each target (for each entity ID)
  • only SPs which accept unsolicited logins (IdP-initiated) can be tested