CoreIdentity SAML Forgery
CoreIdentity SSO is widely deployed across the financial sector for federated access. OdiVex researchers discovered that its SAML parsing engine fails to properly associate the cryptographic signature with the active assertion node.
Signature Wrapping (XSW) Vector
The identity provider (IdP) verifies the signature of the SAML response based on an ID reference. However, the backend application logic processes the first Assertion element it finds in the DOM tree, regardless of whether it was the one verified by the cryptographic engine.
An attacker with a standard low-privileged user account can intercept their own valid SAML response and manipulate the XML tree:
- Clone the valid, signed assertion and move it to a lower node (keeping the signature intact).
- Inject a forged Assertion at the top of the tree, changing the NameID to admin@target.com.
The cryptographic parser validates the lower node and returns True, but the business logic engine grants access based on the forged upper node.
Impact
This allows total horizontal and vertical privilege escalation across all applications federated through the vulnerable CoreIdentity instance.