Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

Original Article ↗ Hacker News Discussion ↗

XML, SAML, and XML-DSig as a Security Minefield

  • Many commenters see XML in auth as analogous to C in memory safety: too powerful, too many footguns.
  • SAML’s core problem is tying authentication to XML Signatures and canonicalization, which are described as “insane” and “enterprise-brained.”
  • Features like comments, partial signatures, multiple signatures, and canonicalization semantics create room for parser differentials and signature confusion.
  • Some argue for a “safe subset” of XML/YAML; others say that’s pointless if attackers can still use the full feature set, unless parsers are strictly locked down.
  • XML is defended as markup (e.g., SVG, DocBook); the complaint is specifically about using it as a structured data and signature format.

Parser Differentials, REXML vs Nokogiri, and Library Choices

  • The core vuln class is parser mismatch: different XML parsers (e.g., REXML vs Nokogiri) interpret the same signed document differently, enabling auth bypass.
  • Some are annoyed the blog post doesn’t fully spell out the exact differential; others respond that withholding details avoids dropping a broad zero-day before fixes.
  • REXML is criticized as fundamentally flawed (regex-driven, accepts invalid XML); Nokogiri is preferred for correctness.
  • Concern that AI code assistants may silently swap libraries and reintroduce weaker parsers without reviewers noticing.

Real-World Impact and Patching

  • An exploitable instance was found in GitLab, which has already shipped a fix.
  • GitHub is discussed both for this research (ruby-saml evaluation) and for unrelated SAML/OAuth design issues around org membership exposure.

SSO, SAML vs OIDC/OAuth, and Overall Risk

  • Strong consensus: avoid new SAML deployments; it’s “insecure by design” mainly due to XML-DSig.
  • OAuth2/OpenID Connect and older Kerberos are cited as strictly better (though not perfect).
  • Some argue SSO is still essential for centralized control, 2FA, onboarding/offboarding, and avoiding password reuse; others think SSO’s blast radius makes multiple separate accounts safer.
  • Even JSON can have parser-differential pitfalls (e.g., duplicate keys), so secure parsing rules (e.g., error on duplicates) are emphasized.

Developer Practices, Accounts, and UX Frictions

  • Frustration with educating developers who trust client-side validation; demonstrations via live exploits are seen as the most convincing teaching tool.
  • Long subthread on not mixing personal and work GitHub accounts, employer control over identities, and the risks of tying work to personal devices and profiles.