Skip to content

feat(scan): --saml-tamper SAML assertion sig-strip and NameID-swap bypass mutator#34

Merged
bugsyhewitt merged 1 commit into
mainfrom
worker-r37-W2-possession
Jun 5, 2026
Merged

feat(scan): --saml-tamper SAML assertion sig-strip and NameID-swap bypass mutator#34
bugsyhewitt merged 1 commit into
mainfrom
worker-r37-W2-possession

Conversation

@bugsyhewitt

Copy link
Copy Markdown
Owner

Summary

  • Add SAMLTamper mutator (--saml-tamper) targeting SAML SSO assertion-layer authentication bypasses (ASVS V3.5.3 / OWASP SAML Security Cheat Sheet)
  • Signature-strip variant: remove <ds:Signature> to detect SP signature-validation misconfiguration (POSSESSION-SAML-SIG-STRIP, critical)
  • NameID-swap variant: replace <saml:NameID> with a privileged target while preserving original signature (POSSESSION-SAML-NAMEID-SWAP, critical)
  • Both variants keep the caller's own session credentials unchanged; off by default (--saml-tamper)

Test plan

  • 16 new tests in internal/mutate/saml_tamper_test.go — all pass
  • Full test suite — all packages pass
  • Updated buildregistry_forbidden_test.go for new signature
  • Detection class wired in internal/detect/tuning.go
  • CHANGELOG and POST_V01 updated

…p bypass

Add SAMLTamper mutator targeting SAML SSO assertion-layer auth bypasses
(ASVS V3.5.3 / OWASP SAML Cheat Sheet): signature-strip removes
<ds:Signature> to test SP signature-skip misconfiguration; nameid-swap
replaces <saml:NameID> with a privileged target while preserving the
original signature to test NameID-after-validation bypass. Both variants
emit authn-bypass/critical findings. 16 tests; all existing tests pass.
@bugsyhewitt bugsyhewitt merged commit e698456 into main Jun 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant