Shib IDP v3 integration with Cylance

Cantor, Scott cantor.2 at
Tue Mar 20 09:17:26 EDT 2018

> Are there tools or test scripts for the various known XML parsing
> vulnerabilities?

It doesn't lend itself to that, you have to know what you're trying to do with the payload to impersonate the vitcim.

>  Scott, how do you test an SP to see if it is vulnerable?

Duo provided clear examples of inserting comments into the XML, there's nothing else to it.

>  If you give the vendor a "repeat-by" procedure then they may be more responsive.

I have, many times. And I shouldn't have to, Duo did that for me. The attack was so widespread and so easy to do that they really had no choice but to document the specifics.

> I recently saw the report of the simplesamlphp XML vulnerabilities which are
> completely different than the xmltooling library issues.

That isn't the problem we're going to be dealing with, that's a simple matter of patching a known implementation. The problem is all the unknown and half-constructed ones.

-- Scott

More information about the users mailing list