The Forger's Art: Exploiting XML Digital Signature Implementations presented at 44Con 2013

by James Forshaw,

Summary : Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies. Being a standard there is, unsurprisingly, no canonical implementation for any platform or language, with so many different developments there are likely to be differences in how the standard is interpreted.
This presentation is about research done against the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass or denial of service. It will show some of the more nasty vulnerabilities found during the research including a novel attack against the built-in Java and .NET libraries which allow for trivial signature spoofing exposing any user of those implementations into accepting an invalid signature which is independent of their usage.