XSLT Attack

From Single Sign-On Attacks
Revision as of 17:32, 8 December 2015 by Anna (talk | contribs) (Created page with "=Attack description= ''Extensible Stylesheet Language Tranformation (XSLT)'' is a language for transforming XML documents into other documents, for example, XML, HTML, JSON or...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Attack description

Extensible Stylesheet Language Tranformation (XSLT) is a language for transforming XML documents into other documents, for example, XML, HTML, JSON or even PDF. The XML Signature standard allows the usage of XSLT by definition, and thus, XSLT can be used in SAML. XSLT is a Turing complete language. By this means, it is possible to use XSLT, for example, to read/write files on the local filesystem and send them over the Internet. Furthermore, the XSLT transformation will be executed before the digital signature is verified Thus, an attacker can send a SAML token including a digital signature containing the XSLT Attack (XSLTA) vector, but it is not required that the signature is valid.


Attack subtypes

There are no attack subtypes for this attack.


Prerequisites for attack

In order to start XSLT, the attacker has to create a valid XML message containing a DTD. Note that the message has to be a SAML token. However, this token does not have to be signed with a valid key nor the signature needs to be valid.

Graphical representation of attack

File:XSLT.jpg