[Meta] Expand Okta Rule Coverage - SAMLjacking
terrancedejesus opened this issue · comments
Parent Epic (If Applicable)
Meta Summary
This meta will be used to track expanded Okta detection rule coverage specifically for SAML-related events. SAML is an authentication standard/protocol commonly used in SaaS platforms. SAML is web-based and implemented on both the service provider (SP) and identity provider (IdP) for authentication. SAML data visibility is reliant on URI patterns, HTTP(s) request and response bodies and more, however, Okta system logs include all most of this information. This research is likely to carry-over to other SaaS integrations (Google Workspace, GitHub, Slack) where similar detections can be created.
Plan:
- Setup Okta lab and 3rd-party applications.
- Establish SAML for authentication between IdP and SP.
- Use the Okta integration for IdP log collection
- Use Network Packet Capture (NPC) for network traffic log collection (This is only necessary if we need visibility into the web browser for redirections)
- Emulate malicious behavior, capture telemetry and write detection logic
Estimated Time to Complete
4-Weeks
Potential Blockers
- Full SAML request/response visibility relies heavily on insight into the end-user browser, IdP and SP. Okta, being the IdP may only provide partial insight into these request/response communications.
- Depending on logic requirements, ES|Ql may be important for comparative analysis of the SAML requests and responses. At the time of this issue, ES|QL is in technical preview
Tasklist
Resources / References
- https://github.com/pushsecurity/saas-attacks?tab=readme-ov-file
- https://medium.com/stolabs/how-saml-works-and-some-attacks-on-it-2f62db0ef1d9
- https://developer.okta.com/docs/concepts/saml/#implementing-a-backdoor
- https://redsiege.com/tools-techniques/2021/11/attacking-saml-implementations/
- https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html
- https://book.hacktricks.xyz/pentesting-web/saml-attacks
Update 01-16-2023
This meta will be started today, starting with setting up SAML authentication with 1-2 third party integrations in Okta and ensure monitoring is still established. The following is tasked for this week. There may need to be separate meta's to tackle the other SAML abuse techniques originally listed. Therefore, I have renamed this to SAMLjacking and put the others as a stretch.
- Setup SAML authentication in Okta lab
- Ensure monitoring still exists for Okta
- Establish 1-2 third party integrations in Okta with SAML access only
- Follow authentication workflow with MFA and review telemetry to understand visibility
- Review SAMLjacking techniques and how to execute in our environment
- Attempt to emulate SAMLjacking and capture telemetry
- Review potential rules and begin rule development.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.