You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: The XML parser allows external entities to be included in the XML.
Impact: SSRF, File read, DoS
Attack: XML Signature Wrapping
Description: Assertions can be added to a signed XML document. This can create a logic flaw that allows the original assertion to be properly validated, but the unsigned assertion is processed.
Impact: This allows an attacker to create assertions without knowledge of the XML signature private key.
Description: An attacker redirects a token destined for SP_a as an authentication token for SP_b.
Impact: If an IdP has multiple SPs, a token for SP_a can be used in SP_b. Impact is context-dependent. Sometimes, the malicious SP is created by the attacker.
Description: If the XML signature logic incorrectly handles signature validation, an attacker can just exclude a signature to create a XML document that passes signature validation.
Impact: An attacker can trivially spoof signed XML documents.