SAML signature wrapping (XSW) → impersonate admin

§ Context

Assumed environment: target SP uses a SAML library susceptible to XSW (Java OpenSAML pre-3.4, python-saml older versions). Attacker has any low-priv SAML response to manipulate.

§ Steps

1. 01
   Exfil sensitive dataExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Capture own SAML responseInitial Access

   T1078— Valid Accounts
3. 03
   POST modified response to SPLateral Movement

   T1550— Use Alternate Authentication Material
4. 04
   SP parses attacker assertion → admin sessionPrivilege Escalation

   W-BFLA— Broken Function Level Authorization (API BFLA)
5. 05
   Insert attacker assertion + restructure XMLCredential Access

   AUTH-SAML-XSW— SAML Signature Wrapping (XSW)

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts
• T1550Use Alternate Authentication Material

§ Frequently asked

What is the "SAML signature wrapping (XSW) → impersonate admin" attack path?

Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil sensitive data (T1041) — a exfiltration primitive. Assumed environment: target SP uses a SAML library susceptible to XSW (Java OpenSAML pre-3.

What is the final impact of this kill-chain?

The final step lands on Insert attacker assertion + restructure XML (AUTH-SAML-XSW), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  ERC-4626 first-depositor inflation → drain new deposits

  Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.

• Shared techniques2

  MEV bot honeypot → drain searcher

  Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.