AUTH-SAML-XSWCredential Access

SAML Signature Wrapping (XSW)

Re-arrange the signed SAML response so the IdP-signed assertion stays intact while the SP parses an attacker-injected one — sign in as anyone.

§ Where this technique fits

AUTH-SAML-XSW is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
step 2 / 5

§ What commonly comes next

01
Use Alternate Authentication Material
T1550 · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SAML signature wrapping (XSW) → impersonate admin

§ What commonly comes next