SAML Parser Inconsistencies Enable Authentication Bypass in Ruby and PHP Ecosystems
PortSwigger Research discovered multiple parser-level inconsistencies in SAML implementations for Ruby and PHP that enable full authentication bypass. These exploits leverage attribute pollution and namespace confusion to forge valid authentication tokens.
Affected
Executive Summary
This research unveils a class of vulnerabilities stemming from inconsistent XML parsing behavior across SAML implementations. By exploiting differences in how various parsers handle XML attributes and namespaces, attackers can bypass SAML authentication entirely—a critical failure in identity infrastructure that likely affects thousands of enterprise deployments.
Technical Analysis
The core issue derives from parser-level ambiguities when handling XML structures fundamental to SAML authentication frameworks. SAML tokens are XML-based assertions signed by identity providers; their security depends on cryptographic validation and strict parsing semantics. The vulnerabilities identified exploit two primary vectors: (1) attribute pollution, where duplicate or conflicting XML attributes are processed inconsistently across parsers, allowing attackers to inject malicious claims while maintaining signature validity; (2) namespace confusion, where namespace declarations and bindings are resolved differently, potentially causing the signature validation logic to validate one set of assertions while the application logic processes another.
Impact Assessment
Ruby and PHP SAML implementations power authentication in countless web applications, from enterprise SaaS platforms to internal identity systems. A full authentication bypass is a critical-severity vulnerability—attackers can forge valid SAML responses claiming any user identity without knowledge of signing keys. Organizations using vulnerable SAML libraries face immediate account takeover risk across all dependent applications. The fact that this affects multiple platforms suggests the root causes are fundamental XML parsing quirks rather than isolated implementation bugs, likely affecting other language ecosystems as well.
Attacker Perspective
An attacker doesn't need to compromise the identity provider; they can craft malicious SAML responses locally, exploit these parsing inconsistencies, and authenticate as any user. This is particularly dangerous in federated authentication scenarios where organizations trust external SAML providers. The barrier to exploitation is low once the parser inconsistencies are understood.
Defensive Recommendations
Immediate actions: (1) Audit SAML libraries in use and check PortSwigger's specific bypass techniques against your versions; (2) Implement strict XML schema validation and reject ambiguous namespace declarations; (3) Enforce strict attribute uniqueness; (4) Update SAML libraries to patched versions immediately. Long-term: Migrate toward modern alternatives like OAuth 2.0/OIDC where parser confusion is less likely, and conduct security audits of XML parsing logic across the application stack. This research demonstrates that mature, standardized protocols like SAML can harbor subtle implementation traps—defense-in-depth and parser hardening are essential.
Sources