James Forshaw (Head of Vulnerability Research, Context Information Security)
PRESENTATION TITLE: The Forger’s Art: Exploiting XML Digital Signature Implementations
Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies.
Being a standard there is, unsurprisingly, no canonical implementation for any platform or language, with so many different developments there are likely to be differences in how the standard is interpreted leading to flaws specific to that implementation.
This presentation is about some research done against the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass or denial of service. It will show some of the more nasty vulnerabilities found during the research including a couple of novel attacks which allow for trivial signature spoofing exposing any user of those implementations into accepting an invalid signature unless they go out of their way to prevent it.
This presentation will cover several examples of unconventional chained exploits used in real-world penetration tests; provide a detailed technical walkthrough of the exploits used along with some tricks to gain unauthorized access and bypass security controls on critical network components. In closing, this presentation will look beyond adaptive penetration testing by providing a glimpse into some of the future directions in the use of unconventional chained exploits that are currently being explored by independent researchers around the globe.
ABOUT JAMES FORSHAW
James is the Head of Vulnerability Research at Context Information Security in the UK. He has been involved with computer hardware and software security for over 10 years with a skill set which covers the bread and butter of the security industry such as application testing, through to more bespoke product assessment, vulnerability analysis and exploitation. He has numerous public vulnerabilities disclosures in many different products including web browser issues and virtual machine breakouts as well as being a winner of the Java Pwn2Own competition in 2013.
He has spoken at a number of security conferences in the past, on a range of different topics such including managed language security at Blackhat USA, CanSecWest and Bluehat, Sony Playstation Portable hacking at Chaos Computer Congress, WebGL exploitation at Ruxcon and Citrix network exploitation at Blackhat Europe. He is also the developer of the free CANAPE network protocol analysis and exploitation tool.