sp_nuclei_test
nuclei templates for testing SAML service providers.
Requirements
nuclei
You can run nuclei in multiple ways. The most common ones are directly on your machine (using go) or inside a docker container.
go
Install newest version of Go. The version included in your Linux distribution might not be current enough.
Then install nuclei.
You will run nuclei simply by calling nuclei
(see below).
docker
Install docker and make sure that you can call docker
in your terminal.
You will run nuclei by executing:
docker run --rm -v ./:/app/ projectdiscovery/nuclei # ...
conformance IdP
You need to setup a conformance IdP, with a module developed for SAML signature validation testing.
Then you need to connect SPs to the conformance IdP (exchange metadata), so that regular SAML authentication works.
Usage
Run against one target:
nuclei -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
-duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30
or using docker:
docker run --rm -v ./:/app/ projectdiscovery/nuclei -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
-duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30
where
-
ACS_URL_HERE
is the assertion consumer service endpoint URL -
ENTITY_ID_HERE
is the entity ID of the SP -
AUTHORIZATION_HERE
is the authorization header, e.g.Bearer abcd...789
It is expected that the SP will return HTTP code 200/302/303 on success and a different HTTP code on failure (e.g. when SAML response is not signed).
Limitations
- templates are only usable with the conformace IdP
- testing cannot be run in parallel for the same entity ID
- only
HTTP-POST
binding is currently supported - nuclei has to be invoked individually for each target (for each entity ID)
- only SPs which accept unsolicited logins (IdP-initiated) can be tested