CISSP · Question #1141
A cloud service accepts Security Assertion Markup Language (SAML) assertions from users to on and security However, an attacker was able to spoof a registered account on the network and query the SAML
The correct answer is A. Attacker forges requests to authenticate as a different user.. This question tests knowledge of SAML assertion spoofing attacks, where an attacker exploits weaknesses in SAML token validation to impersonate legitimate users.
Question
A cloud service accepts Security Assertion Markup Language (SAML) assertions from users to on and security However, an attacker was able to spoof a registered account on the network and query the SAML provider. What is the MOST common attack leverage against this flaw?
Options
- AAttacker forges requests to authenticate as a different user.
- BAttacker leverages SAML assertion to register an account on the security domain.
- CAttacker conducts denial-of-service (DoS) against the security domain by authenticating as the
- DAttacker exchanges authentication and authorization data between security domains.
How the community answered
(20 responses)- A65% (13)
- B10% (2)
- C20% (4)
- D5% (1)
Why each option
This question tests knowledge of SAML assertion spoofing attacks, where an attacker exploits weaknesses in SAML token validation to impersonate legitimate users.
When an attacker can spoof a registered account and query a SAML provider, the most common exploitation is forging or manipulating SAML assertions to authenticate as a different (often privileged) user. This is known as SAML assertion forgery or XML signature wrapping, where the attacker crafts or modifies a SAML response to claim a different identity, bypassing proper authentication controls.
SAML assertions are used for authentication and authorization of existing identities, not for registering new accounts; account provisioning is a separate process not directly exposed through SAML assertion queries.
Using a spoofed SAML assertion to conduct a DoS attack is not a common or practical exploitation of this flaw, as the primary value of SAML spoofing is unauthorized access, not service disruption.
Exchanging authentication and authorization data between security domains describes the legitimate, intended function of SAML federation, not an attack leveraging a spoofed account or forged assertion.
Concept tested: SAML assertion spoofing and identity impersonation attacks
Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_SAML
Topics
Community Discussion
No community discussion yet for this question.