Start Setvalidating true

Setvalidating true

There are good reasons not to curl the DTD every time, for instance, to save time.

SAML is based on the e Xtensible Markup Language (XML) and enables the secure exchange of XML-based authentication messages.

In conjunction with Single Sign-On (SSO) systems, SAML especially offers a standardized format for authentication tokens.

The basic Idea looks as follows: The code above does not work directly.

This is due to the fact, that External Entities must not be included in other External Entities.

This post will describe some findings, problems and inisghts regarding XML External Entity Attacks (XXEA) that we gathered during a large-scale security analysis of several SAML interfaces.

XXEA has been a popular attack class in the last months, see for example This post will explain the basics of XXEA and how to adopt them to SAML, including some special problems you have to cope with.

This means, that in contrast to the first given XXEA example, we are only able to read the content of a system resource using XXE, but we cannot simply send this content somewhere else so that it becomes accessible to the attacker. The only thing that is sent back to the user (attacker) is whether the login was successful or not.

During our study, only few applications responded with a specific error message, but in no case this message reflected any content from the SAML-Assertion.

XML offers the possibility to describe the document’s structure by using a Document Type Definition (DTD).

This is well known from classical HTML documents: It now depends on the document parser whether this URL is resolved or not.

In our case, the only global information needed are the current indentation and the fact that the current line be ended.