Loading…
Registration is NOW Open
Marriott Wardman Park
2660 Woodley Rd NW
Washington DC, District of Columbia 20008 USA
Phone: 1-202-328-2000 

Book Now 
*discount rates expire August 19, 2019
Back To Schedule
Friday, September 13 • 10:30am - 11:15am
SSO Wars: The Token Menace

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation.

In this talk, we will present two new techniques:
1) A new breed of SAML implementation flaws that break XML signature validation and enable arbitrary modification of the SAML assertion, which enables attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims. Although any implementation may be affected by this flaw, we will show how it affects Microsoft Windows Identity Framework (WIF) applications, Windows Communication Foundation (WCF) web services, and flagship products such as SharePoint and Exchange Servers.
2) A bug in the .NET crypto library, which may allow attackers to gain Remote Code Execution (RCE) or Denial of Service (DoS) depending on the availability of code gadgets in the target server.

Speakers
avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Security Researcher, Micro Focus Fortify
Alvaro Muñoz(@pwntester) works as a Principal Software Security Researcher with Micro Focus Fortify, Software Security Research (SSR) team. Before joining the research organization, he worked as an Application Security Consultant helping top enterprises to deploy their application... Read More →
avatar for Oleksandr Mirosh

Oleksandr Mirosh

Micro Focus
Oleksandr Mirosh has over 11 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in Micro Focus investigating and analyzing... Read More →


Friday September 13, 2019 10:30am - 11:15am EDT
Lincoln 4