XSLT Attack
Attack description
Extensible Stylesheet Language Tranformation (XSLT) is a language for transforming XML documents into other documents, for example, XML, HTML, JSON or even PDF. The XML Signature standard allows the usage of XSLT by definition, and thus, XSLT can be used in SAML. XSLT is a Turing complete language. By this means, it is possible to use XSLT, for example, to read/write files on the local filesystem and send them over the Internet. Furthermore, the XSLT transformation will be executed before the digital signature is verified Thus, an attacker can send a SAML token including a digital signature containing the XSLT Attack (XSLTA) vector, but it is not required that the signature is valid.
Attack subtypes
There are no attack subtypes for this attack.
Prerequisites for attack
In order to start XSLT, the attacker has to create a valid XML message containing a DTD. Note that the message has to be a SAML token. However, this token does not have to be signed with a valid key nor the signature needs to be valid.