On the 13th September, Principal Security Consultant James Forshaw presented on “The Forger's Art: Exploiting XML Digital Signature Implementations” at the 44CON Security Conference in London.
Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies. Being a standard, there is surprisingly no canonical implementation for any platform or language, and with so many different developments there are differences in how the standard is interpreted.
The presentation delved into research conducted into the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass or denial of service. It will show some nasty vulnerabilities found during the research, including a novel attack against the built-in Java and .NET libraries which allow for trivial signature spoofing, exposing any user of those implementations into accepting an invalid signature.
To view a copy of James' presentation please click here.