SAML Authentication Bypass via XML Comments
Description
The SAML parser processes XML comments, allowing an adversary to insert comments and modify the interpretation of input fields, potentially bypassing authorization or authentication checks.
Examples
Insecure Code
java
org.opensaml.xml.parse.BasicParserPool pool = new BasicParserPool(); pool.setIgnoreComments(false);Secure Code
java
org.opensaml.xml.parse.BasicParserPool pool = new BasicParserPool(); // do not call setIgnoreComments(false)Remediation
When using `org.opensaml.xml.parse.BasicParserPool`, ensure `setIgnoreComments(false)` is not called, as the default value of `ignoreComments` is `true`, which is safe.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0730 |
| Category | Auth |
| Severity | MEDIUM |
| CWE | CWE-1390 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | authentication bypass, XML injection |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |