Shib IDP v3 integration with Cylance
cantor.2 at osu.edu
Tue Mar 20 09:17:26 EDT 2018
> Are there tools or test scripts for the various known XML parsing
It doesn't lend itself to that, you have to know what you're trying to do with the payload to impersonate the vitcim.
> Scott, how do you test an SP to see if it is vulnerable?
Duo provided clear examples of inserting comments into the XML, there's nothing else to it.
> If you give the vendor a "repeat-by" procedure then they may be more responsive.
I have, many times. And I shouldn't have to, Duo did that for me. The attack was so widespread and so easy to do that they really had no choice but to document the specifics.
> I recently saw the report of the simplesamlphp XML vulnerabilities which are
> completely different than the xmltooling library issues.
That isn't the problem we're going to be dealing with, that's a simple matter of patching a known implementation. The problem is all the unknown and half-constructed ones.
More information about the users