Fluid Attacks Database

Description

Detects when SAML XML parser configurations allow comments in SAML responses. When comments are allowed in SAML processing, attackers could potentially inject malicious content within XML comments to bypass security controls or manipulate SAML assertions.

Weakness:

164 - Insecure service configuration

Category: Functionality Abuse

Detection Strategy

• Identifies calls to setIgnoreComments() method in Java code

• Verifies the method is called with 'false' as the argument

• Confirms the method is called on a BasicParserPool object instance

• Reports a vulnerability when all these conditions are met as this configuration allows potentially dangerous XML comments in SAML processing

Vulnerable code example

import org.opensaml.xml.parse.BasicParserPool;

public class SAMLVulnerable {
    public void configureParser() {
        BasicParserPool parserPool = new BasicParserPool();
        parserPool.setIgnoreComments(false); // Vulnerable: Allows XML comment injection attacks in SAML assertions
    }
}

✅ Secure code example

import org.opensaml.xml.parse.BasicParserPool;

public class SAMLSecure {
    public void configureParser() {
        BasicParserPool parserPool = new BasicParserPool();
        parserPool.setIgnoreComments(true); // Secure: Prevents XML comment injection attacks by ignoring comments
    }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.