SAML Consumer Service KeyInfo RetrievalMethod SSRF

Severity: Medium
Summary#

Invicti detected that the target application is vulnerable to a [Possible] SAML Consumer Service KeyInfo RetrievalMethod SSRF by capturing a DNS request that was made to {SSRFRESPONDER} but was unable to confirm the vulnerability.

The web application uses SAML. The web application's SAML Consumer Service allows KeyInfo referencing to remote servers/local files (using RetrievalMethod). An unauthenticated attacker may be able to use it in order to read arbitrary files on the server or send requests to other servers (SSRF).

Impact#

An attacker can send arbitrary HTTP Get requests to internal servers or read local files.

Remediation#

Disable dereferencing in KeyInfo RetrievalMethod.

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works