Hi Neil That's exactly right. Just to elaborate a little, suppose the SAML assertion included: <NameID> [email protected]</NameID> An attacker could manipulate this by adding an XML comment. For example: <NameID>test@component<!-- this is a comment -->space.com</NameID> The addition of the comment doesn't affect the signature verification as the canonicalization removes the comment. So, now the XML consists of an element with three child nodes – text, comment and text. Some libraries simply take the first text node (ie test@component) We concatenate all the text nodes ( [email protected]) by calling the XmlNode.InnerText property.
Regards ComponentSpace Development
|